Download Print this page

HPE MSR1000 Release Notes

HPE MSR1000 Release Notes

Hide thumbs Also See for MSR1000:

Installation manual (45 pages)

page of 371

/ 371
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

HPE

MSR1000_MSR2000_MSR3000_MSR4000-

CMW710-R0306P30-US Release Notes

The information in this document is subject to change without notice.

© Copyright 2013, 2016 Hewlett Packard Enterprise Development LP

Table of Contents

Advertisement

Chapters

Table of Contents

Need help?

Need help?

Do you have a question about the MSR1000 and is the answer not in the manual?

Questions and answers

Summary of Contents for HPE MSR1000

Page 1 MSR1000_MSR2000_MSR3000_MSR4000- CMW710-R0306P30-US Release Notes The information in this document is subject to change without notice. © Copyright 2013, 2016 Hewlett Packard Enterprise Development LP...
Page 2: Table Of Contents
Contents Version information ···········································································1 Version number ··························································································································· 1 Version history ···························································································································· 2 Hardware and software compatibility matrix ······················································································ 6 Upgrading restrictions and guidelines······························································································· 8 Hardware feature updates ··································································8 CMW710-R0306P30-US ··············································································································· 8 CMW710-R0306P07 ····················································································································· 8 CMW710-R0305P08 ····················································································································· 8 CMW710-R0305P04 ····················································································································· 8 CMW710-R0304P02 ·····················································································································...
Page 3 Centralized devices upgrading from the CLI ···················································································· 71 Saving the running configuration and verifying the storage space ················································· 71 Downloading the image file to the router ·················································································· 71 Specifying the startup image file ····························································································· 72 Rebooting and completing the upgrade ··················································································· 73 Distributed devices upgrading from the CLI ·····················································································...
Page 4 List of Tables Table 1 Version history ......................... 2 Table 2 HPE product device numbers matrix ..................6 Table 3 Hardware and software compatibility matrix ................ 7 Table 4 MIB updates ........................10 Table 5 MSR1000 specifications ....................58 Table 6 MSR2000/MSR2000 TAA specifications ................58 Table 7 MSR3000/MSR3000 TAA specifications ................
Page 5: Version Information
<HPE> display version HPE Comware Software, Version 7.1.059, Release 0306P30 Copyright (c) 2010-2016 Hewlett Packard Enterprise Development LP HPE MSR3064 uptime is 0 weeks, 0 days, 0 hours, 2 minutes Last reboot reason : User reboot Boot image: cfa0:/msr3000-cmw710-boot-r0306p30.bin Boot image version: 7.1.059P20, Release 0306P30 Compiled Mar 16 2016 16:00:00 System image: cfa0:/msr3000-cmw710-system-r0306p30.bin...
Page 6: Version History
Version history Table 1 Version history Version Release Release Last version Remarks number date type MSR1000_2000_3000_4000 series, including MSR1003-8S and MSR3012 AC • New feature: 1. SIP compatibility • Modified feature: CMW710-R0306 CMW710-R03 2016-06-0 Release 1. OSPF performance 06P12 version 2.Telnet redirect 3.POS terminal access 4.License...
Page 7 1. Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces 2. Changing the maximum number of FIB table entries 3. Enabling CWMP 4. The logo of HP is changed to HPE • Fixes bugs. MSR1000_2000_3000_4000 series, including MSR1003-8S •...
Page 8 MSR1000_2000_3000_4000 series, including MSR1003-8S • New feature: 1. Including vendor information in PPP accounting requests CMW710-R0304 CMW710-R03 2015-09-1 Release 2. BFD for an aggregation group 04P04 version • Modified feature: 1. SSH username 2. IS-IS hello packet sending interval 3. MP-group interface numbering •...
Page 9 7. Multicast VPN support for inter-AS option B • Modified feature: 1. 802.1X redirect URL 2. Displaying information about NTP servers from the reference source to the primary NTP server 3. Saving, rolling back, and loading the configuration 4. Displaying information about SSH users •...
Page 10: Hardware And Software Compatibility Matrix
Hardware and software compatibility matrix CAUTION: To avoid an upgrade failure, use Table 3 to verify the hardware and software compatibility before performing an upgrade. Table 2 HPE product device numbers matrix Product code HPE Product name JG402A HPE MSR4080 Router Chassis JG403A...
Page 11: Table 3 Hardware And Software Compatibility Matrix
JG734A HPE MSR2004-24 AC Router JG735A HPE MSR2004-48 Router JG866A HPE MSR2003 TAA-compliant AC Router JG869A HPE MSR4000 TAA-compliant MPU-100 Engine JG409B HPE MSR3012 AC Router Table 3 Hardware and software compatibility matrix Item Specifications Product MSR1000_MSR2000_MSR3000_MSR4000 family MSR1002-4_MSR1003-8S: 250 or higher...
Page 12: Upgrading Restrictions And Guidelines
Add new card: 1-port E1 / T1 Voice SIC Module(JH240A) CMW710-R0305P04 The logo of HP is changed to HPE. CMW710-R0304P02 Add new cards: HPE MSR 4GLTE SIC Mod for CDMA/WCDMA (JG742B) HPE MSR 4G LTE SIC Mod for ATT (JG743B)
Page 13: Cmw710-R0304
HPE MSR 4GLTE SIC Mod for Global (JG744B) HPE MSR HSPA+/WCDMA SIC Module (JG929A) CMW710-R0304 Add new router: HPE MSR1003-8S AC Router CMW710-E0302P06 Add new hardware: 8-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH169A) 4-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH170A)
Page 14: Software Feature And Command Updates
300W DCPower(PSR300-12D2) Support USB modem E303c and E3131 Software feature and command updates For more information about the software feature and command update history, see HPE MSR1000_MSR2000_MSR3000_MSR4000-CMW710-R0306P30 Release Notes (Software Feature Changes). MIB updates Table 4 MIB updates Item MIB file...
Page 15 hh3c3GGsmMnc, hh3cSmsSrcNumberBind, hh3cSmsTimeBind, hh3cSmsEncodeBind, hh3cSmsContentBind, hh3cSmsRxNotifSwitch and hh3cSmsRxNotification CMW710-R0305P04 None None None Modified description of sysDescr, sysContact, Modified rfc1213.mib RFC1213-MIB sysName and sysLocation, sysObjectID CMW710-R0305 None None None Modified description of Modified rfc1213.mib RFC1213-MIB sysDescr and sysObjectID CMW710-R0304P12 None None None Modified description of rfc2925-disman-ping.mib...
Page 16 hh3c-mplste.mib HH3C-MPLSTE-MIB Added H3C-MPLSTE-MIB Added rfc6445-mpls-frr-facility-std.m MPLS-FRR-FACILITY-STD MPLS-FRR-FACILITY-STD- -MIB Added rfc6445-mpls-frr-general-std. MPLS-FRR-GENERAL-ST MPLS-FRR-GENERAL-STD D-MIB -MIB rfc3812-mpls-te-std.mib MPLS-TE-STD-MIB Added MPLS-TE-STD-MIB rfc3970-te.mib TE-MIB Added TE-MIB Added HH3C-TRANSCEIVER-INF hh3c-transceiver-info.mib HH3C-TRANSCEIVER-INF O-MIB O-MIB rfc5519-mgmd-std.mib MGMD-STD-MIB Added MGMD-STD-MIB Added rfc4560-disman-traceroute.m DISMAN-TRACEROUTE- DISMAN-TRACEROUTE-MI rfc2925-disman-ping.mib DISMAN-PING-MIB Added DISMAN-PING-MIB rfc5603-pw-enet-std.mib PW-ENET-STD-MIB Added PW-ENET-STD-MIB...
Page 17 description of sysContact and sysLocation; Modified Access of ipAddressStorageType. Modified description of isisRouterID, isisSysLevelTEEnabled, isisNextCircIndex, isisCirc3WayEnabled, rfc4444-isis.mib ISIS-MIB isisCircExtendedCircID, isisISAdj3WayState 和 isisISAdjNbrExtendedCirc Modified description of rfc2465-ipv6.mib IPV6-MIB ipv6IfDescr Modified description of hh3cdot1sStpForceVersi hh3c-splat-mstp.mib HH3C-LswMSTP-MIB Modified description and IGMP-STD-MIB rfc2933-igmp-std.mib IGMP-STD-MIB PDS of Updated the rfc2863-if.mib...
Page 18 pingTestFailed, pingTestCompleted, hh3cNqaProbeTimeOverThr eshold, hh3cNqaJitterRTTOverThre shold, hh3cNqaProbeFailure, hh3cNqaJitterPacketLoss, hh3cNqaJitterSDOverThres hold, hh3cNqaJitterDSOverThres hold, hh3cNqaICPIFOverThreshol hh3cNqaMOSOverThreshol Modified description of rfc4133-entity.mib ENTITY-MIB entPhysicalAlias, entPhysicalAssetID Modified description of hh3c-if-ext.mib HH3C-IF-EXT-MIB HH3C-IF-EXT-MIB Modified description of hh3c-config-man.mib HH3C-CONFIG-MAN-MIB HH3C-CONFIG-MAN-MIB Modified description of hh3c-trng2.mib HH3C-TRNG2-MIB HH3C-TRNG2-MIB Modified description of rfc2925-disman-ping.mib DISMAN-PING-MIB pingCtlTable...
Page 19 HH3C-LSW-DEV-ADM-MI hh3c-lsw-dev-adm.mib Added hh3cLswCpuTable hh3c-3gmodem.mib HH3C-3GMODEM-MIB Added hh3cLteInfoTable Modified description of hh3c-trap.mib HH3C-TRAP-MIB hh3cTrapConfigSwitch Modified description of rfc2863-if.mib IF-MIB ifOutQLen Added hh3c-ip-address.mib HH3C-IP-ADDRESS-MIB hh3cIpAddrFirstTrapTime Modified description of fc1471-ppp-lcp.mib PPP-LCP-MIB pppLinkStatusBadFCSs Modified title of ieee8023-lag.mib IEEE8023-LAG-MIB IEEE8023-LAG-MIB Modified title of hh3c-lag.mib HH3C-LAG-MIB HH3C-LAG-MIB Modified description of...
Page 20 Modified description of rfc2819-rmon.mib RMON-MIB default value in RMON-MIB Modified description of rfc4502-rmon.mib RMON2-MIB default value in RMON2-MIB Removed lldpXdot1dcbxConfigETSCo nfigurationTable lldpXdot1dcbxConfigETSRe commendationTable lldpXdot1dcbxConfigPFCTa lldpXdot1dcbxConfigApplicat ionPriorityTable lldpXdot1dcbxLocETSBasic ConfigurationTable lldpXdot1dcbxLocETSConPr iorityAssignmentTable lldpXdot1dcbxLocETSConTr afficClassBandwidthTable lldpXdot1dcbxLocETSConTr afficSelectionAlgorithmTable lldpXdot1dcbxLocETSReco TrafficClassBandwidthTable lldpXdot1dcbxLocETSReco TrafficSelectionAlgorithmTa lldpXdot1dcbxLocPFCBasic Table lldp-ext-dot1-v2.mib LLDP-EXT-DOT1-V2-MIB lldpXdot1dcbxLocPFCEnabl...
Page 21 nPriorityAppTable lldpXdot1dcbxAdminETSBa sicConfigurationTable lldpXdot1dcbxAdminETSCo nPriorityAssignmentTable lldpXdot1dcbxAdminETSCo nTrafficClassBandwidthTabl lldpXdot1dcbxAdminETSCo nTrafficSelectionAlgorithmT able lldpXdot1dcbxAdminETSRe coTrafficClassBandwidthTab lldpXdot1dcbxAdminETSRe coTrafficSelectionAlgorithm Table lldpXdot1dcbxAdminPFCBa sicTable lldpXdot1dcbxAdminPFCEn ableTable lldpXdot1dcbxAdminApplicat ionPriorityAppTable CMW710-E0102 rfc5060-pim-std.mib PIM-STD-MIB Added PIM-STD-MIB rfc5240-pim-bsr.mib PIM-BSR-MIB Added PIM-BSR-MIB hh3c-qinqv2.mib HH3C-QINQV2-MIB Added HH3C-QINQV2-MIB rfc3019-ipv6-mld.mibs IPV6-MLD-MIB Added IPV6-MLD-MIB Added hh3cLswSlotMemRev, HH3C-LSW-DEV-ADM-MI hh3c-lsw-dev-adm.mib hh3cLswSlotPhyMemRev,...
Page 22 ipv6IfDescr Modified description of hh3c-splat-mstp.mib HH3C-LswMSTP-MIB hh3cdot1sStpForceVersion Modified description and rfc2933-igmp-std.mib IGMP-STD-MIB PDS of nodes in IGMP-STD-MIB Modified description and rfc4133-entity.mib ENTITY-MIB PDS of entPhysicalAlias and entPhysicalAssetID Modified description of hh3c-posa.mib HH3C-POSA-MIB hh3cPosaFcmIdleTimeout Updated the rfc2863-if.mib rfc2863-if.mib IF-MIB from rfc2233-if.mib CMW710-E0102 Added hh3c-ike-monitor.mib...
Page 23 Added hh3c-rmon-ext2.mib HH3C-RMON-EXT2-MIB HH3C-RMON-EXT2-MIB rfc5132-ipmcast.mib IPMCAST-MIB Added IPMCAST-MIB Modified HH3C-COMMON-SYSTEM hh3c-common-system.mib HH3C-COMMON-SYSTEM- -MIB MIB to V2.4 Modified HH3C-LswINF-MIB hh3c-splat-inf.mib HH3C-LswINF-MIB to V3.4 Added hh3cICLogbufferContTable hh3c-infocenter.mib HH3C-INFO-CENTER-MIB HH3C-INFO-CENTER-MIB Added hh3cLswSlotPktBufFree, HH3C-LSW-DEV-ADM-MI hh3cLswSlotPktBufInit, hh3c-lsw-dev-adm.mib hh3cLswSlotPktBufMin and hh3cLswSlotPktBufMiss in hh3cLswSlotTable Added ipv6RouteNumber, rfc2465-ipv6.mib IPV6-MIB ipv6DiscardedRoutes and ipv6RouteTable...
Page 24: Operation Changes
Operation changes None Restrictions and cautions HPE’s FXS not supporting call transfers from an analog phone to Lync Server. The following features are excluded in the US version of the software: ASPF, zone- based firewall and SSL VPN. Open problems and workarounds 201603240546 •...
Page 25: List Of Resolved Problems
List of resolved problems Resolved problems in CMW710-R0306P30 201603140497 • Symptom: An MSR2003 router displays the message "Watchdog timeout ==MSR2003 Reboot with CW7 e0402l10" if GRE over IPsec runs on a subinterface and MPLS L3VPN settings are configured on the GRE tunnel interface. •...
Page 26 201512230234 • Symptom: In a dynamic link aggregation group, an Ethernet subinterface is not Selected after certain operations are performed. • Condition: This symptom might occur if the following operations are performed: a. Create a dynamic link aggregation group and assign an Ethernet subinterface to the group. b.
Page 27 201605040142 • Symptom: IKE SA setup fails because "Number of negotiating IKE SAs exceeded the limit" after certain operations are performed. • Condition: This symptom might occur if the IKE keychain settings at the two ends of an IKE SA are inconsistent and the IKE SA is repeatedly created and deleted.
Page 28: Resolved Problems In Cmw710-R0306P12
201605130382 • Symptom: An incorrect PSTN cause code results in an incorrect SIP status code. • Condition: None. 201604290522 • Symptom: Mirrored packets from a Layer 3 mirroring source port might carry an incorrect IP version value. • Condition: None. 201603140262 •...
Page 29: Resolved Problems In Cmw710-R0306P11
201604090420 • Symptom: The QoS policy configuration issued by IMC contains incorrect parameters for the CAR action of a traffic behavior. • Condition: None. 201603050111 • Symptom: After voice VLAN is enabled, and the router is rebooted, the priority of voice VLAN packets is incorrect.
Page 30 • Condition: This symptom might occur if the old pre-shared key is not deleted when the new key is set. 201602170270 • Symptom: On a CDMA-1xRTT/CDMA-EVDO network, 3G VPDN access fails if the mode of the SIC-4G-LTE module is switched to 3G. •...
Page 31 201601210332 • Symptom: After a subcard is removed and the router is rebooted, the interface indexes for the subcard change in the MIB. • Condition: This symptom might occur if a subcard is removed and the router is rebooted. 201601180511 •...
Page 32: Resolved Problems In Cmw710-R0306P07
201604130088 • Symptom: When STP is globally enabled on a distributed router, the state of Layer 2 interfaces becomes discarding. • Condition: None. Resolved problems in CMW710-R0306P07 201601190330 • Symptom: The VPM light of the RT-SPU-100 module fails the equipment test. •...
Page 33 201511260615 • Symptom: The router reboots unexpectedly. • Condition: This symptom occurs if IPsec SAs and IKE SAs are repeatedly set up and deleted. 201511050564 • Symptom: The router reboots unexpectedly. • Condition: This symptom occurs if IPsec protects OSPFv3 routes, and active/standby switchover is performed for the router.
Page 34 201602240243 • Symptom: The router might reboot unexpectedly after running for 497 days. • Condition: None. 201602010060 • Symptom: RIP route filtering settings on the router are lost after the running configuration is saved and the router is rebooted. • Condition: This symptom might occur if one of the following operations is performed: Upgrade the software and reboot the router.
Page 35: Resolved Problems In Cmw710-R0305P08
• Condition: This symptom might occur if the user-basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } command is not configured. 201602010492 • Symptom: A VLAN interface cannot forward IPv6 traffic if a Layer 2 aggregate interface performs forwarding for the VLAN interface. •...
Page 36 • Condition: This symptom might occur if interfaces on the HMIM-8GEE interface cards receive MPLS frames greater than 3072 bytes. 201509250085 • Symptom: Operating modes do not take effect on interfaces on DSIC-1SHDSL-8W interface cards. • Condition: This symptom might occur if the DSIC-1SHDSL-8W interface cards are installed in the router together with other interface cards.
Page 37 • Symptom: CVE-2015-7705 • Condition: Denial of Service by Priming the Pump. • Symptom: CVE-2015-7855 • Condition: Denial of Service Long Control Packet Message. • Symptom: CVE-2015-7871 • Condition: NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability. 201507140251 •...
Page 38 • Condition: This symptom occurs if the OpenFlow controller uses BDDP to perform topology discovery. 201509160400 • Symptom: A user line cannot be configured by using the line number command. • Condition: This symptom occurs if you use the line number command to configure the user line. 201509180141 •...
Page 39 201510160206 • Symptom: The dual-stack PPPoE server that mainly provides IPv6 services has available IPv6 addresses in the DHCPv6 address pool. PPPoE users who have no IPv4 addresses assigned cannot log in. • Condition: None. 201509220301 • Symptom: The Cellular process reboots unexpectedly. •...
Page 40 • Condition: This symptom occurs if ARP snooping is enabled on interfaces on the HMIM-8GSW or HMIM-24GSW interface card. 201512180334 • Symptom: The MSR2004-24 or MSR2004-48 router reboots unexpectedly. • Condition: This symptom occurs if the parameter of an SDK function on the switching chip of the router is null.
Page 41: Resolved Problems In Cmw710-R0305P04
201510290199 • Symptom: An L2TP user with a matching full username fails L2TP authentication. An L2TP tunnel cannot be established. • Condition: This symptom occurs if the router acts as the L2TP LNS and is configured with the ppp user attach-format imsi-sn split command. 201510290176 •...
Page 42 201509300412 • Symptom: The peer drops the ARP packets sent by the router if the ARP packets carry 802.1Q VLAN tags with the CFI bit set to 1. • Condition: This symptom might occur if the ARP packets carry 802.1Q VLAN tags with the CFI bit set to 1.
Page 43 • Condition: None. 201507070217 • Symptom: ACL mismatches occur if a connection limit policy is applied to DS-Lite tunnels. • Condition: This symptom might occur if a connection limit policy is applied to DS-Lite tunnels. 201510200471 • Symptom: The routing, multicast, authentication, and voice modules stop working, and incorrect information is displayed for the TRAP, NetStream, and DHCP modules.
Page 44: Resolved Problems In Cmw710-R0305
• Condition: The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. • Symptom: CVE-2015-1791 • Condition: If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data.
Page 45 201504130290 • Symptom: Fax transmission fails if fax pass-through by using the G.711alaw or G711ulaw codec is used for DIS signal transmission. • Condition: This symptom might occur if fax pass-through by using the G.711alaw or G711ulaw codec is used for DIS signal transmission. 201509240046 •...
Page 46: Resolved Problems In Cmw710-R0304P12
• Condition: This symptom might occur if OSPF is enabled on the router, and the router has been operating for more than 210 days. 201507140154 • Symptom: The router can be successfully logged in to by using a public key through SSH1, but RSA fails to encrypt the public key.
Page 47 • Condition: This symptom might occur if the UDP port number of the packets is an odd number before byte order reversing. 201508030336 • Symptom: The router reboots unexpectedly if the IPsec tunnels on the router have been forwarding traffic for a long period of time. •...
Page 48 Save the configuration. Shut down the IRF physical interfaces. Change the operation mode from IRF to standalone after the IRF fabric splits. 201507090504 • Symptom: When a PoE profile is configured, the router warns that the maximum PI power specified by using the poe max-power command is invalid even if the value is in the valid power range.
Page 49: Resolved Problems In Cmw710-R0304P04
201508060025 • Symptom: The settings of MP-group interfaces are incompatible after an MSR router is upgraded to E0302P06 or a later version. • Condition: This symptom occurs if an MSR router is upgraded to E0302P06 or a later version. 201507080421 •...
Page 50 201507020251 • Symptom: A PW is re-created after the L2VPN process is re-optimized by using the placement reoptimize command. • Condition: This symptom occurs if split horizon is enabled for the PW. 201506300136 • Symptom: An interface on the SIC-4GSW card cannot ping the directly connected interface on the same subnet after the interface is changed to a Layer 3 interface.
Page 51 201507020391 • Symptom: The TTL of a static blacklist entry is different from the actual aging time. • Condition: This symptom occurs if the static blacklist entry is added after a master/subordinate switchover in an IRF fabric. 201505150461 • Symptom: An interface cannot forward packets when it is up. •...
Page 52 201505290049 • Symptom: The hh3cTransceiver node does not return new information for a different transceiver module type. • Condition: This symptom occurs if the following operations are performed: Replace a transceiver module. Walk the hh3cTransceiver node by using a MIB browser. 201506250411 •...
Page 53 201505250363 • Symptom: Services are interrupted for about 50 minutes after the router runs for a long time with traffic load. • Condition: This symptom might occur if the DH-Group2 algorithm is used in an IPsec VPN environment. 201507200433 • Symptom: An interface on an MSR2004 router is up, but does not receive packets.
Page 54 • Condition: This symptom occurs if more than two VLANs exist and their VLAN interfaces are assigned IP addresses. 201504230195 • Symptom: On an IRF fabric, assertion information is displayed and subordinate routers reboot when the IPv4 device is pinged from the IPv6 side. •...
Page 55: Resolved Problems In Cmw710-R0304P02
 The router has a large number of BGP peers.  201507200270 • Symptom: An MSR1000 router reboots repeatedly. • Condition: This symptom occurs if the following operations are performed: Install a SIC-4SAE card into the router. Send bidirectional traffic between the router and its peer device.
Page 56: Resolved Problems In Cmw710-R0304
201504230250 • Symptom: Traffic forwarding is interrupted on the router. • Condition: This symptom might occur if portal users repeatedly come online and go offline over a long period of time when the router is forwarding traffic. 201506120253 • Symptom: When the display qos policy interface command is executed for a VT interface configured with QoS policies, nothing is displayed or the console halts.
Page 57: Resolved Problems In Cmw710-E0302P06
• Condition: Authentication doesn't protect symmetric associations against DoS attacks. 201504230275 • Symptom: A router replies with a re-INVITE message with the Referred-By header field after receiving a REFER request without the Referred-By header field from a Lync server. • Condition: This symptom occurs when a Lync server sends a REFER request without the Referred-By header field to the router.
Page 58 201501290181 • Symptom: When a L2VPN cross-connect is bound to a Layer 3 aggregate interface, receiving LACPDUs times out, and the aggregation group member ports flap frequently. • Condition: This symptom occurs when the L2VPN cross-connect is bound to a Layer 3 aggregate interface.
Page 59: Resolved Problems In Cmw710-E0102
To find related documents, see the Hewlett Packard Enterprise Support Center website at http://www.hpe.com/support/hpesc. • Enter your product name or number and click Go. If necessary, select your product from the resulting list. • For a complete list of acronyms and their definitions, see HPE FlexNetwork technology acronyms.
Page 60: Related Documents
HPE FlexNetwork MSR Router Series Interface Command Reference(V7) • HPE FlexNetwork MSR Router Series IP Multicast Command Reference(V7) • HPE FlexNetwork MSR Router Series Layer 2 - LAN Switching Command Reference(V7) • HPE FlexNetwork MSR Router Series Layer 2 - WAN Access Command Reference(V7) •...
Page 61: Documentation Feedback
• HPE FlexNetwork MSR Router Series Layer 3 - IP Routing Configuration Guide(V7) • HPE FlexNetwork MSR Router Series Layer 3 - IP Services Configuration Guide(V7) • HPE FlexNetwork MSR Router Series MPLS Configuration Guide(V7) • HPE FlexNetwork MSR Router Series NEMO Configuration Guide(V7) •...
Page 62: Appendix A Feature List
Appendix A Feature list Hardware features Table 5 MSR1000 specifications Item MSR1002-4 MSR1003-8S Console/AUX port USB port Gigabit Ethernet port SFP port Asynchronous/synchronous serial interface Memory 512 MB DDR3 1 GB DDR3 Flash 256 MB 256 MB SIC/DSIC slot 2 SIC slot (1 DSIC slot) 3 SIC slots (1 DSIC slot) Dimensions (H ×...
Page 63: Table 7 Msr3000/Msr3000 Taa Specifications
Dimensions (H × W × D) 360mm×305.3mm×44.2 440mm×403.5mm×4 440mm×363.5mm×44.2 (excluding rubber feet and mounting brackets) AC power supply Rated voltage range: 100 VAC to 240 VAC @ 50 Hz/60 Hz Rated voltage range: DC power supply -48V d.c.～-60V d.c Maximum power for 150W AC/DC power supply 0 ～...
Page 64: Table 8 Msr4000 Specifications
RPS power supply 800 W Power pluggable and Dule power buckup Operating temperature 0°C to 45°C (32°F to 113°F) Relative humidity 5% to 90% (noncondensing) Table 8 MSR4000 specifications Item MSR4060 MSR4080 MPU slot SPU slot HMIM slot Dimensions (H × W × D), excluding rubber feet and 175.1 ×...
Page 65: Table 11 Msr2004-24 Ac Power Module Specifications
Combo SFP+ port Applicable router model MSR4060/MSR4080 Applicable MPU MPU-100 Table 11 MSR2004-24 AC power module specifications Item Specification Rated input voltage range 100 VAC to 240 VAC @ 50 Hz or 60 Hz Rated power 150 W Table 12 MSR2004-48 DC power module specifications Item Specification Rated input voltage range...
Page 66 4-port enhanced synchronous/asynchronous serial SIC interface module(RT-SIC-4SAE(JG737A)) • HPE MSR 4GLTE SIC Mod for CDMA/WCDMA (JG742B) • HPE MSR 4G LTE SIC Mod for ATT (JG743B) • HPE MSR 4GLTE SIC Mod for Global (JG744B) • HPE MSR HSPA+/WCDMA SIC Module (JG929A) Voice interface modules: •...
Page 67 • 1-port 8-wire G.SHDSL (RJ45) DSIC Module Ethernet interface modules: • 2-port 10M/100/1000M Ethernet electrical HMIM interface module (RJ45) (HMIM-2GEE) • 4-port 10M/100/1000M Ethernet electrical HMIM interface module (RJ45) (HMIM-4GEE) • 8-port 10M/100/1000M Ethernet electrical HMIM interface module (RJ45) (HMIM-8GEE) •...
Page 68 • 1-port SDH/SONET interface module (MIM-1POS-V2) • 1-port dual-pair G.SHDSL interface module (MIM-1SHL-4W) • HPE MSR OAP MIM Module with VMware vSphere (JG532A) Voice interface modules: • 1 channel E1 voice MIM interface module (MIM-1VE1) • 1 channel T1 voice MIM interface module (MIM-1VT1) •...
Page 69: Software Features
Sierra-MC7700 HPE MSR 4G LTE SIC Mod for Global JG744A Sierra-MC7710 CAUTION: The support and restriction of modules on HPE FlexNetwork MSR Routers Interface Configuration Guide(V7), Appendix Purchase Guide. Software features Table 18 MSR Series routers software features Category Features...
Page 70 IP Option IP unnumber Policy routing (unicast/multicast) Non-IP services: Netstream Ping and Trace DHCP Server DHCP Client DNS client DNS Static IP application IP Accounting Telnet TFTP Client FTP Client FTP Server Static routing management Dynamic routing protocols: • • OSPF •...
Page 71 • • PIM-DM • PIM-SM • PIM-SSM Local authentication Radius HWTacacs LDAP ASPF Firewall FILTER Port security IPSec PORTAL L2TP NAT/NAPT Security SSH V1.5/2.0 URPF VRRP Backup center Reliability Flow-base QOS Policy Port-Based Mirroring Packet Remarking Priority Mapping L2 QoS Port Trust Mode Port Priority Flow Filter...
Page 72 Voice Interfaces E&M E1VI/T1VI Voice Signaling DSS1 SIP Operation G.711A law G.711U law G.723R53 Codec G.723R63 G.729a G.729R8 G.729bR8 Media Process SNMP V1/V2c/V3 Network SYSLOG management RMON NETCONF Command line management License management Local management File system management Auto-configure Dual Image Console interface login AUX interface login TTY interface login...
Page 73: Appendix B Upgrading Software
Appendix B Upgrading software This section describes how to upgrade system software while the router is operating normally or when the router cannot correctly start up. Software types The following software types are available: • Boot ROM image—A .bin file that comprises a basic section and an extended section. The basic section is the minimum code that bootstraps the system.
Page 74: Preparing For The Upgrade
Preparing for the upgrade Before you upgrade system software, complete the following tasks: • Set up the upgrade environment as shown in Table Configure routes to make sure that the router and the file server can reach each other. • Run a TFTP or FTP server on the file server.
Page 75: Centralized Devices Upgrading From The Cli
262144 KB total (223992 KB free) <HPE> Downloading the image file to the router Using TFTP Download the system software image file, for example, msr2000.ipe to the flash on the router. <HPE>tftp 192.168.1.100 get msr2000.ipe % Total % Received % Xferd Average Speed Time...
Page 76: Specifying The Startup Image File
Return to user view. [ftp]quit 221 Service closing control connection <HPE> Specifying the startup image file Specify the msr2000.ipe file as the main image file at the next reboot. <HPE>boot-loader file flash:/msr2000.ipe main Images in IPE: msr2000-cmw710-boot-a0005.bin msr2000-cmw710-system-a0005.bin msr2000-cmw710-security-a0005.bin msr2000-cmw710-voice-a0005.bin msr2000-cmw710-data-a0005.bin...
Page 77: Rebooting And Completing The Upgrade
After the reboot is complete, verify that the system software image is correct. <HPE> display version HPE Comware Software, Version 7.1.042, Release 000702 Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P. HPE MSR2003 uptime is 0 weeks, 0 days, 13 hours, 23 minutes Last reboot reason : User reboot Boot image: flash:/msr2000-cmw710-boot-a0005.bin Boot image version: 7.1.040, Alpha 0005...
Page 78: Distributed Devices Upgrading From The Cli
Display the slot number of the active MPU Perform the display device command in any view to display the slot number of the active MPU. By default, the standby MPU will automatically synchronize the image files from active MPU. <HPE>display device Slot No. Board Type...
Page 79: Download The Image File To The Router
Specifying the startup image file Perform the boot-loader command in user view to d specify the msr4000.ipe file as the main image file for the active MPU on slot 0 at the next reboot. <HPE>boot-loader file flash:/msr4000.ipe slot 0 main Images in IPE: msr4000-cmw710-boot-a0005.bin msr4000-cmw710-system-a0005.bin...
Page 80 <HPE> Perform the boot-loader command in user view to d specify the msr4000.ipe file as the main image file for the standby MPU on slot 1 at the next reboot. <HPE>boot-loader file flash:/msr4000.ipe slot 0 main Images in IPE: msr4000-cmw710-boot-a0005.bin msr4000-cmw710-system-a0005.bin...
Page 81: Reboot And Completing The Upgrade
<HPE> display version HPE Comware Software, Version 7.1.042, Release 000702 Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P. HPE MSR4060 uptime is 0 weeks, 0 days, 11 hours, 49 minutes Last reboot reason : Power on Boot image: cfa0:/MSR4000-cmw710-boot-a0005.bin Boot image version: 7.1.040, Alpha 0005 System image: cfa0:/MSR4000-cmw710-system-a0005.bin...
Page 82: Distributed Devices Issu
2G bytes DDR3 SDRAM Memory 8M bytes Flash Memory Version: CPLD Version: Basic BootWare Version: 1.04 Extended BootWare Version: 1.04 [SUBSLOT 0]CON (Hardware)2.0 (Driver)1.0, (Cpld)1.0 [SUBSLOT 0]AUX (Hardware)2.0 (Driver)1.0, (Cpld)1.0 [SUBSLOT 0]MGE0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0 Slot 1: MPU-100 uptime is 0 week, 0 day, 1 hour, 8 minutes Last reboot reason : User reboot CPU ID: 0x3 2G bytes DDR3 SDRAM Memory...
Page 83: Disabling The Standby Mpu Auto-Update Function
When you upgrade the active MPU of a dual-MPU distributed device, the standby MPU auto-update function automatically upgrades the standby MPU by default. To use ISSU, you must disable the function. To disable the standby MPU auto-update function: View the roles of the MPUs. <HPE>display device Slot No. Board Type Status Primary...
Page 84: Downloading The Upgrade Image File To The Router
Copying file cfa0:/msr4000.ipe to slot1#cfa0:/ msr4000.ipe...Done. Upgrading the standby MPU Specify the msr4000.ipe file as the main startup image file for the standby MPU. <HPE>boot-loader file msr4000.ipe slot 1 main Verifying the IPE file and the images..Done. HPE MSR4060 images in IPE: msr4000-cmw710-boot-e010305.bin...
Page 85 The images that have passed all examinations will be used as the main startup so ftware images at the next reboot on slot 1. Reboot the standby MPU. <HPE>reboot slot 1 This command will reboot the specified slot, Continue? [Y/N]:y Now rebooting, please wait...
Page 86: Upgrading The Active Mpu
The output shows that the standby MPU is running the new images. Upgrading the active MPU Specify the msr4000.ipe file as the main startup image file for the active MPU. <HPE>boot-loader file msr4000.ipe slot 0 main Verifying the IPE file and the images..Done. HPE MSR4060 images in IPE: msr4000-cmw710-boot-e010305.bin...
Page 87 <HPE>reboot slot 0 This command will reboot the specified slot, Continue? [Y/N]:y Now rebooting, please wait... The standby MPU takes over the forwarding and controlling functions before the active MPU reboots. After the active MPU starts up, verify the startup image files.
Page 88: Upgrading From The Bootware Menu
• Using XMODEM to upgrade software through the console port Accessing the BootWare menu Power on the router (for example, an HPE MSR 2003 router), and you can see the following information: System is starting... Press Ctrl+D to access BASIC-BOOTWARE MENU...
Page 89: Table 20 Bootware Menu Options
**************************************************************************** Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P. Compiled Date : Jun 22 2013 CPU ID : 0x1 Memory Type : DDR3 SDRAM Memory Size : 1024MB Flash Size : 2MB Nand Flash size : 256MB CPLD Version : 2.0 PCB Version : 3.0 BootWare Validating...
Page 90: Using Tftp/Ftp To Upgrade Software Through An Ethernet Port
BootWare. When you upgrade the system software image, BootWare is automatically upgraded. <7> BootWare Operation Menu HPE does not recommend upgrading BootWare separately. This document does not cover using the BootWare Operation menu. <8> Skip authentication for console login Clear all the authentication schemes on the console port.
Page 91: Table 22 Network Parameter Fields And Shortcut Keys
Ctrl+D = Quit. ========================================================================== Protocol (FTP or TFTP) :ftp Load File Name :msr2000.ipe Target File Name :msr2000.ipe Server IP Address :192.168.1.1 Local IP Address :192.168.1.100 Subnet Mask :255.255.255.0 Gateway IP Address :0.0.0.0 FTP User Name :user001 FTP User Password :******** Table 22 Network parameter fields and shortcut keys Field Description...
Page 92 Image file msr2000-cmw710-system-a0005.bin is self-decompressing... Saving file flash:/msr2000-cmw710-system-a0005.bin ..............Done. Image file msr2000-cmw710-security-a0005.bin is self-decompressing... Saving file flash:/msr2000-cmw710-security-a0005.bin Done. Image file msr2000-cmw710-voice-a0005.bin is self-decompressing... Saving file flash:/msr2000-cmw710-voice-a0005.bin ..Done. Image file msr2000-cmw710-data-a0005.bin is self-decompressing... Saving file flash:/msr2000-cmw710-data-a0005.bin ..Done. ==========================<Enter Ethernet SubMenu>========================== |Note:the operating device is flash |<1>...
Page 93: Using Xmodem To Upgrade Software Through The Console Port
Using XMODEM to upgrade software through the console port Enter 2 in the BootWare menu to access the Serial submenu. ===========================<Enter Serial SubMenu>=========================== |Note:the operating device is flash |<1> Download Image Program To SDRAM And Run |<2> Update Main Image File |<3>...
Page 94 Select Call > Disconnect in the HyperTerminal window to disconnect the terminal from the router. Figure 2 Disconnect the terminal connection NOTE: If the baud rate of the console port is 9600 bps, jump to step 9. Select File > Properties, and in the Properties dialog box, click Configure. Figure 3 Properties dialog box Select 115200 from the Bits per second list and click OK.
Page 95 Figure 4 Modify the baud rate Select Call > Call to reestablish the connection. Figure 5 Reestablish the connection Press Enter. The following menu appears: The current baudrate is 115200 bps ===============================<BAUDRATE SET>=============================== |Note:'*'indicates the current baudrate Change The HyperTerminal's Baudrate Accordingly |---------------------------<Baudrate Available>---------------------------| |<1>...
Page 96 Enter 0 to return to the Serial submenu. ===========================<Enter Serial SubMenu>=========================== |Note:the operating device is flash |<1> Download Image Program To SDRAM And Run |<2> Update Main Image File |<3> Update Backup Image File |<4> Download Files(*.*) |<5> Modify Serial Interface Parameter |<0>...
Page 97: Managing Files From The Bootware Menu
Figure 8 File transfer progress 13. When the Serial submenu appears after the file transfer is complete, enter 0 at the prompt to return to the BootWare menu. Download successfully! 37691392 bytes downloaded! Input the File Name:main.bin Updating File flash:/main.bin....................Done! ===========================<Enter Serial SubMenu>=========================== |Note:the operating device is flash...
Page 98: Displaying All Files
|<2> Set Image File type |<3> Set Bin File type |<4> Set Configuration File type |<5> Delete File |<6> Copy File |<0> Exit To Main Menu ========================================================================== Enter your choice(0-6): Table 24 File Control submenu options Item Description <1> Display All File Display all files.
Page 99: Deleting Files
To change the type of a system software image: Enter 2 in the File Control submenu. 'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED ============================================================================ |NO. Size(B) Time Type Name 37691392 Aug/16/2012 07:09:16 N/A flash:/msr2000.ipe Exit ============================================================================ Enter file No:1 Enter the number of the file you are working with, and press Enter.
Page 100: Handling Software Upgrade Failures
[Y/N]Y Deleting...Done. Handling software upgrade failures If a software upgrade fails, the system runs the old software version. To handle a software failure: Check the physical ports for a loose or incorrect connection. If you are using the console port for file transfer, check the HyperTerminal settings (including the baud rate and data bits) for any wrong setting.
Page 101: Handling Console Login Password Loss
Restore to Factory Delete the next-startup configuration files and Default Configuration load the factory-default configuration. To disable password recovery capability: Step Command Remarks Enter system view. system-view By default, password Disable password recovery undo password-recovery enable recovery capability is capability. enabled.
Page 102 Press Ctrl+D to access BASIC-BOOTWARE MENU... Press Ctrl+T to start heavy memory test Booting Normal Extended BootWare..The Extended BootWare is self-decompressing..Done. **************************************************************************** HPE MSR3000 BootWare, Version 1.20 **************************************************************************** Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P. Compiled Date : May 13 2013...
Page 103: Using The Skip Current System Configuration Option
<HPE> system-view [HPE] line aux 0 [HPE-line-aux0] authentication-mode password [HPE-line-aux0] set authentication password simple 123456 Use the line aux 0 command on an MSR2000 or MSR 3000 routers. The console port and the AUX port are the same physical port.
Page 104: Using The Skip Authentication For Console Login Option
[HPE-line-aux0] save Using the Skip Authentication for Console Login option Reboot the router to access the EXTEND-BOOTWARE menu, and then enter 8. The current mode is password recovery. Note: The current operating device is cfa0 Enter < Storage Device Operation > to select device.
Page 105 "Configure a new console login authentication mode and a new console login password.Configure a new console login authentication mode and a new console login password.". To make the settings take effect after a reboot, save the running configuration to the next-startup configuration file. [HPE] save...
Page 106 MSR1000_MSR2000_MSR3000_MSR4000- CMW710-R0306P30-US Software Feature Changes The information in this document is subject to change without notice. © Copyright 2013, 2016Hewlett Packard Enterprise Development LP...
Page 107 Contents Release 0306P30-US ····································································· 12 New feature: SIP compatibility ·························································· 12 Configuring SIP compatibility ········································································································ 12 Command reference ··················································································································· 13 sip-compatible ···················································································································· 13 Modified feature: OSPF performance optimization ································· 14 Feature change description ·········································································································· 14 Command changes ···················································································································· 14 Modified command: spf-schedule-interval ················································································ 14 Modified command: transmit-pacing ························································································...
Page 108 Release 0306P11 ··········································································· 21 New feature: Voice VLAN ································································ 21 Configuring a voice VLAN ············································································································ 21 Configuring a port to operate in automatic voice VLAN assignment mode ······································ 21 Configuring a port to operate in manual voice VLAN assignment mode ········································· 22 Enabling LLDP for automatic IP phone discovery ······································································...
Page 109 Modified command: ip load-sharing mode ················································································ 33 Modified feature: Automatic configuration ············································ 34 Feature change description ·········································································································· 34 Command changes ···················································································································· 34 Modified feature: Software image signature ········································· 34 Feature change description ·········································································································· 34 Command changes ···················································································································· 34 Modified command: display install active ·················································································· 34 Modified command: display install backup ················································································...
Page 110 New feature: PKI support for Suite B ·················································· 61 Configuring Suite B in PKI ··········································································································· 61 Command reference ··················································································································· 61 Modified command: public-key ecdsa ······················································································ 61 New feature: IPsec support for Suite B ················································ 61 Overview ·································································································································· 62 IKEv2 negotiation process····································································································· 62 New features in IKEv2 ··········································································································...
Page 111 New command: priority (IKEv2 policy view) ············································································ 118 New command: priority (IKEv2 profile view) ············································································ 118 New command: proposal ···································································································· 119 New command: reset ikev2 sa ····························································································· 120 New command: reset ikev2 statistics ····················································································· 121 New command: sa duration ································································································· 122 New command: esn enable ·································································································...
Page 112 Modified command: display ssh server ·················································································· 165 Modified command: ssh user ······························································································· 165 Modified command: scp ······································································································ 166 Modified command: scp ipv6 ······························································································· 169 Modified command: sftp ······································································································ 172 Modified command: sftp ipv6 ······························································································· 175 Modified command: ssh2 ···································································································· 178 Modified command: ssh2 ipv6 ······························································································...
Page 113 New feature: BFD for an aggregation group ······································· 200 Configuring BFD for an aggregation group ···················································································· 200 Configuration restrictions and guidelines ················································································ 200 Configuration procedure ····································································································· 201 Command reference ················································································································· 201 link-aggregation bfd ipv4 ····································································································· 201 Modified feature: SSH username ····················································· 202 Feature change description ········································································································...
Page 114 netconf soap https acl ········································································································ 216 New feature: Specifying a backup traffic processing unit ······················· 217 Specifying a backup traffic processing unit ···················································································· 217 Command reference ················································································································· 217 service standby ················································································································· 217 New feature: WAAS ······································································ 218 Configuring WAAS ··················································································································· 218 Command reference ·················································································································...
Page 115 Modified command: dot1x ead-assistant url ············································································ 225 Modified feature: Displaying information about NTP servers from the reference source to the primary NTP server ···················································· 226 Feature change description ········································································································ 226 Command changes ·················································································································· 226 Modified command: display ntp-service trace ·········································································· 226 Modified feature: Saving, rolling back, and loading the configuration ·······...
Page 116 New feature: QoS soft forwarding ···················································· 233 Configuring QoS soft forwarding ································································································· 233 Command reference ················································································································· 233 New feature: Filtering by application layer protocol status ····················· 234 Configuring Filtering by application layer protocol status ·································································· 234 Command reference ················································································································· 234 New feature: ADVPN support for multicast forwarding ··························...
Page 117 New feature: MSDP ······································································ 241 Configuring MSDP ··················································································································· 241 Command reference ················································································································· 242 New feature: IPsec MIB and IKE MIB ··············································· 242 New feature: PoE ········································································· 242 Configuring PoE ······················································································································ 242 Command reference ················································································································· 242 New feature: CoPP software forwarding feature ·································· 243 Configuring CoPP ····················································································································...
Page 118: Release 0306P30-Us
Release 0306P30-US This release has the following changes: New feature: SIP compatibility Modified feature: OSPF performance optimization Modified feature: Telnet redirect Modified feature: POS terminal access Modified feature: License Modified feature: IP performance optimization New feature: SIP compatibility Configuring SIP compatibility If a third-party device does not implement SIP in strict accordance with the RFC standard, you can configure SIP compatibility for the router to interoperate with the third-party device.
Page 119: Command Reference
Command reference sip- compatible Use sip-compatible to configure SIP compatibility with a third-party device. Use undo sip-compatible to restore the default. Syntax sip-compatible { t38 | x-param } undo sip-compatible { t38 | x-param } Default SIP compatibility is not configured. Views SIP view Predefined user roles...
Page 120: Modified Feature: Ospf Performance Optimization
Modified feature: OSPF performance optimization Feature change description You can set a fixed OSPF SPF calculation interval in the range of 0 to 10000 milliseconds. The value range for the LSU packet sending interval was changed to 0 to 1000 milliseconds. Command changes Modified command: spf-schedule-interval Old syntax...
Page 121: Modified Feature: Pos Terminal Access
Modified feature: POS terminal access Feature change description The posa auto-stop-service enable command added the function of setting the access interfaces for all E1POS terminal templates to reply with busy tones when all FEPs are unreachable. Command changes Modified command: posa auto-stop-service enable Syntax posa auto-stop-service enable Views...
Page 122: Modified Feature: Ip Performance Optimization
Modified feature: IP performance optimization Feature change description The device supports recording MAC addresses in TCP packets. You can also configure the device to record the MAC address of the local device in TCP packets. Command changes New command: tcp mac-record enable Use tcp mac-record enable to enable MAC address recording in TCP packets.
Page 123: Release 0306P12
undo tcp mac-record local Default The destination MAC address is recorded. Views System view Default command level network-admin Parameters mac-address: Specifies the MAC address of the local device. The MAC address cannot be all 0s, broadcast MAC address, or multicast MAC address. Usage guidelines To make this command take effect, you must enable MAC address recording in TCP packets by using the tcp mac-record enable command.
Page 124: Modified Feature: Aaa
Modified feature: AAA Feature change description Starting from this software version, you can configure the authorization method for IKE extended authentication. Command changes New command: authorization ike Use authorization ike to configure the authorization method for IKE extended authentication. Use undo authorization ike to restore the default. Syntax In non-FIPS mode: authorization ike { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }...
Page 125: Modified Feature: Configuring A Cellular Interface For A 3G/4G Modem
# In ISP domain test, use RADIUS scheme rd as the primary authorization method and local authorization as the backup authorization method for IKE extended authentication. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization ike radius-scheme rd local Modified feature: Configuring a cellular interface for a 3G/4G modem Feature change description In this release, you can set the RSSI thresholds for a 3G/4G modem.
Page 126: Modified Feature: Vxlan
medium mediumthreshold: Specifies the upper RSSI threshold value in the range of 0 to 150, which represent an upper RSSI threshold in the range of –150 dBm to 0 dBm. Usage guidelines The device performs the following operations based on the actual RSSI of the 3G/4G modem: •...
Page 127: Release 0306P11
Use undo dhcp server reply-exclude-option60 to restore the default. Syntax dhcp server reply-exclude-option60 undo dhcp server reply-exclude-option60 Default The DHCP server sends DHCP replies containing Option 60. Views System view Predefined user roles network-admin Example # Configure the DHCP server to send DHCP replies that do not contain Option 60. <Sysname>...
Page 128: Configuring A Port To Operate In Manual Voice Vlan Assignment Mode
Step Command Remarks (Optional.) Enable the By default, the voice VLAN voice VLAN security voice-vlan security enable security mode is enabled. mode. (Optional.) Add an OUI voice-vlan mac-address oui mask By default, system default address for voice packet oui-mask [ description text ] OUI addresses exist.
Page 129: Enabling Lldp For Automatic Ip Phone Discovery
Step Command Remarks • Enter Layer 2 Ethernet interface view: interface interface-type interface-number • Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number • Enter S-channel interface view: interface s-channel 16. Enter interface view. interface-number.channel-id • Enter S-channel aggregate interface view: interface schannel-aggregation interface-number:channel-id...
Page 130: Configuring Lldp To Advertise A Voice Vlan
Configuring LLDP to advertise a voice VLAN For IP phones that support LLDP, the device advertises the voice VLAN information to the IP phones through LLDP-MED TLVs. To configure LLDP to advertise a voice VLAN: Step Command Remarks 24. Enter system view. system-view 25.
Page 131: Command Reference
Task Command display voice-vlan state Display the voice VLAN state. display voice-vlan mac-address Display OUI addresses on a device. Command reference The following commands were added: • display voice-vlan mac-address. • display voice-vlan state. • voice-vlan aging. • voice-vlan enable. •...
Page 132: Modified Feature: Mpls Qos Support For Marking The Exp Field
Default No criterion is defined to match the EXP field in the second MPLS label. Views Traffic class view Predefined user roles network-admin Parameters not: Matches packets not conforming to the specified criterion. exp-value&<1-8>: Specifies a space-separated list of up to eight EXP values. The value range for the exp-value argument is 0 to 7.
Page 133: Modified Feature: Automatic Configuration
Views Traffic behavior view Predefined user roles network-admin Parameters second-mpls-exp-value: Specifies an EXP value for the second MPLS label, in the range of 0 to 7. Examples # Define a traffic behavior to mark packets with EXP value 3 for the second MPLS label. <Sysname>...
Page 134: Release 0306P07
Release 0306P07 This release has the following changes: New feature: L2TP-based EAD New feature: CFD configuration Modified feature: Support using dots in user profile name Modified feature: Default size of the TCP receive and send buffer Modified feature: Support for obtaining fan tray and power module vendor information through MIB Modified feature: Supporting per-packet load sharing Modified feature: Automatic configuration Modified feature: Software image signature...
Page 135: Command Reference
Command reference ppp access-control enable Use ppp access-control enable to enable L2TP-based EAD. Use undo ppp access-control enable to disable L2TP-based EAD. Syntax ppp access-control enable undo ppp access-control enable Default L2TP-based EAD is disabled. Views VT interface view Predefined user roles network-admin Usage guidelines This command does not apply to VA interfaces that already existed in the VT interface.
Page 136: New Feature: Cfd Configuration
network-operator Parameters interface-type interface-number: Specifies an interface by its type and number. interface-name: Specifies an interface by its name. Examples # Display access control information for VA interfaces on VT interface 2. <Sysname> display ppp access-control interface virtual-template 2 Interface: Virtual-Template2:0 User Name: mike In-bound Policy: acl 3000 Totally 0 packets, 0 bytes, 0% permitted,...
Page 137: Command Reference
• cfd port-trigger • display cfd tst history See HPE FlexNetwork MSR Router Series Command References(V7). Modified feature: Support using dots in user profile name Feature change description In this release, the user profile name supports using dots (.).
Page 138: Modified Feature: Default Size Of The Tcp Receive And Send Buffer
Change description Before modification: The user profile name is a case-sensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_), and the name must start with an English letter. After modification: The user profile name is a case-sensitive string of 1 to 31 characters. Valid characters are letters, digits, underscores (_), and dots (.), and the name must start with an English letter.
Page 139: Information Through Mib
Modified feature: Support for obtaining fan tray and power module vendor information through MIB Feature change description In this release, the device supports obtaining fan tray and power module vendor information through MIB. Command changes None Modified feature: Supporting per-packet load sharing Feature change description The per-packet keyword was added to the ip load-sharing mode command to support per-packet load sharing.
Page 140: Modified Feature: Automatic Configuration
Views System view Change description The per-packet keyword was added to the ip load-sharing mode command to support per-packet load sharing. Modified feature: Automatic configuration Feature change description A limit was added to the number of automatic configuration attempts. If the device fails to be automatically configured within the limit, the device quits the automatic configuration process.
Page 141: Modified Command: Display Install Backup
HP—For software images of the HP version. Software image signature • HP-US—For software images of the HP US version. • HPE—For software images of the HPE version. Modified command: display install backup Syntax Centralized devices: display install backup [ verbose ] Centralized IRF devices–Distributed devices–In standalone mode:...
Page 142: Modified Command: Display Install Inactive
HP—For software images of the HP version. Software image signature • HP-US—For software images of the HP US version. • HPE—For software images of the HPE version. Modified command: display install inactive Syntax Centralized devices: display install inactive [ verbose ] Centralized IRF devices–Distributed devices–In standalone mode:...
Page 143: Modified Command: Display Install Package
HP—For software images of the HP version. Software image signature • HP-US—For software images of the HP US version. • HPE—For software images of the HPE version. Modified command: display install package Syntax display install package { filename | all } [ verbose ] Views...
Page 144: Release 0305P08
HP—For software images of the HP version. Software image signature • HP-US—For software images of the HP US version. • HPE—For software images of the HPE version. Release 0305P08 This release has the following changes: New feature: mGRE New feature: Disabling transceiver module alarm...
Page 145: Mgre Operation Procedure
• NHC—NHRP client, a spoke device in the mGRE network. Typically, it is the gateway of a branch network. An NHC does not forward data received from other mGRE nodes. mGRE obtains dynamic public addresses of NHCs through their private addresses to establish mGRE tunnels and forward packets.
Page 146 Figure 2 Full-mesh network Public network NHC 1 NHC 2 NHC-NHC Site 1 Site 2 Data • NHS-NHC network—NHCs cannot establish tunnels between each other. Instead, they establish tunnels with the NHS. The NHS forwards data for the NHCs. The NHS acts as both the routing information exchange center and the data forwarding center.
Page 147: Mgre Support For Nat Traversal
An NHC-NHS tunnel is permanent. An NHC can establish permanent tunnels to any number of NHSs. • NHC-NHC tunnel establishment process: a. In a full-mesh network, when an NHC receives a data packet but finds no tunnel for forwarding the packet, the NHC (initiator) sends an address resolution request to the NHS. b.
Page 148: Configuring An Mgre Tunnel
Tasks at a glance (Required.) Configuring an mGRE tunnel (Required.) Configuring routing (Optional.) Configuring IPsec for an mGRE tunnel Configuring an mGRE tunnel The public address of an NHC can be statically configured or dynamically assigned. The private address of an NHC must be statically configured. For more information about tunnel interfaces, see tunneling configuration in Layer 3—IP Services Configuration Guide.
Page 149: Configuring Routing
Step Command Remarks By default, no GRE key is configured for an mGRE tunnel interface. You must configure the same GRE key or configure no key on both ends of a tunnel. 11. (Optional.) Configure a GRE On the device, you must configure gre key key key for the tunnel interface.
Page 150: Displaying And Maintaining Mgre
For more information about IPsec configuration, see "Configuring IPsec." Displaying and maintaining mGRE Execute display commands in any view and reset commands in user view. Task Command display nhrp map [ interface tunnel Display information about NHRP mapping entries. interface-number [ peer ipv4-address ] ] [ verbose ] display nhrp statistics [ interface tunnel Display NHRP packet statistics for tunnel interfaces.
Page 151: Usage Guidelines
Usage guidelines If you do not specify any parameters, this command displays brief information about all mGRE sessions on all tunnel interfaces. Examples # Display brief information about all mGRE sessions. <Sysname> display mgre session Interface : Tunnel1 Number of sessions: 2 Peer NBMA address Peer protocol address Type...
Page 152 <Sysname> display mgre session verbose Interface : Tunnel1 Link protocol : GRE Number of sessions: 2 Peer NBMA address : 10.0.1.3 Peer protocol address: 192.168.180.136 Session type : C-S State : Succeeded State duration : 00:30:01 Input : 2201 packets, 218 data packets, 3 control packets 2191 multicasts, 0 errors Output: 2169 packets, 2168 data packets, 1 control packets 2163 multicasts, 0 errors...
Page 153 Peer NBMA address : 20.0.0.3 Peer protocol address: 192.168.181.137 Behind NAT : No Session type : C-C State : Succeeded State duration : 00:31:01 Input : 0 packets, 0 data packets, 0 control packets 0 multicasts, 0 errors Output: 1 packets, 0 data packets, 1 control packets 0 multicasts, 0 errors # Display detailed information about the mGRE session with the peer public address 202.12.12.12.
Page 154: New Command: Display Nhrp Map
Field Description hh:mm:ss. Statistics on received packets: • packets—Total number of packets. • data packets—Number of data packets. Input • control packets—Number of control packets. • multicasts—Number of multicast packets. • errors—Number of error packets. Statistics on received packets: • packets—Total number of packets.
Page 155 Destination/mask Next hop NBMA address Type Interface 172.16.1.1/32 172.16.1.1 105.112.100.4 cached Tunnel0 172.16.1.2/32 172.16.1.2 105.112.100.92 cached Tunnel0 # Display detailed information about all NHRP mapping entries. <Sysname> display nhrp map verbose Interface : Tunnel0 Destination/mask : 172.16.1.1/32 Next hop : 172.16.1.1 Creation time : 00:38:44 Expiration time...
Page 156: New Command: Display Nhrp Statistics
New command: display nhrp statistics Use display nhrp statistics to display NHRP packet statistics for a tunnel interface. Syntax display nhrp statistics [ interface tunnel interface-number ] Views Any view Predefined user roles network-admin network-operator Parameters interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095.
Page 157: New Command: Nhrp Authentication
Resolution replies Registration requests : 0 Registration replies Purge requests Purge replies Error indications Traffic indications NHRP packets received Resolution requests Resolution replies Registration requests : 3 Registration replies Purge requests Purge replies Error indications Traffic indications # Display NHRP packet statistics for the specified tunnel interface. <Sysname>...
Page 158: New Command: Nhrp Holdtime
undo nhrp authentication Default No NHRP packet authentication key is configured. NHRP nodes do not authenticate NHRP packets received from each other. Views mGRE tunnel interface view Predefined user roles network-admin Parameters cipher: Specifies an authentication key in encrypted form. simple: Specifies an authentication key in plaintext form.
Page 159: New Command: Nhrp Network-Id
Default The holdtime of NHRP mapping entries is 7200 seconds. Views mGRE tunnel interface view Predefined user roles network-admin Parameters seconds: Specifies the holdtime in the range of 1 to 65535 seconds. Usage guidelines After the holdtime is configured, the local NHRP holdtime carried in outgoing packets is updated to the configured holdtime.
Page 160: New Command: Nhrp Nhs
Usage guidelines A network ID is only locally significant. You can configure different NHRP network IDs for different tunnel interfaces on the device. The NHC and server can have different NHRP network IDs. If you execute this command multiple times, the most recent configuration takes effect. Examples # Set the NHRP network ID to 10 for mGRE tunnel interface Tunnel1.
Page 161: New Command: Reset Mgre Session
Related commands interface tunnel (Layer 3—IP Services Command Reference) New command: reset mgre session Use reset mgre session to reset dynamic mGRE sessions. Syntax reset mgre session [ interface tunnel interface-number [ peer ipv4-address ] ] Views User view Predefined user roles network-admin Parameters interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range...
Page 162: New Command: Reset Nhrp Statistics
Predefined user roles network-admin Parameters interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command clears mGRE session statistics for all mGRE tunnel interfaces. peer ipv4-address: Specifies a peer public address.
Page 163: New Feature: Disabling Transceiver Module Alarm
The device regularly checks transceiver modules for their vendor information. If a transceiver module does not have a vendor name or the vendor name is not HPE, the device outputs traps and logs to prompt you to replace the module. This feature enables you to suppress the traps and logs.
Page 164: Modified Feature: Default User Role
Modified feature: Default user role Feature change description The default user role can be changed. The role-name argument was added to the role default-role enable command for specifying a user role as the default user role. Command changes Modified command: role default-role enable Old syntax role default-role enable undo role default-role enable...
Page 165: Command Changes
Command changes Modified command: debugging Old syntax debugging { all [ timeout time ] | module-name [ option ] } undo debugging { all | module-name [ option ] } New syntax debugging module-name [ option ] undo debugging module-name [ option ] Views User view Change description...
Page 166: New Feature: Public Key Management Support For Suite B
New feature: Public key management support for Suite B Configuring Suite B in public key management Suite B contains a set of encryption and authentication algorithms that meet high security requirements. In this software version, Suite B is available in public key management. Support for new elliptic curve algorithms was added for generating ECDSA key pairs.
Page 167: New Feature: Pki Support For Suite B
New feature: PKI support for Suite B Configuring Suite B in PKI Suite B contains a set of encryption and authentication algorithms that meet high security requirements. PKI commands were modified to support Suite B. Command reference Modified command: public-key ecdsa Old syntax public-key ecdsa name key-name undo public-key...
Page 168: Overview
Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs less message exchanges than IKEv1.
Page 169: New Features In Ikev2
Figure 4 IKEv2 Initial exchange process Peer 1 Peer 2 Send the local Negotiate IKE policy and Initiator’s policy and key algorithms and key info information generate the key Search for a SA exchange, matched policy and Confirmed policy and generate the key key exchange key information...
Page 170: Protocols And Standards
IKEv2 SA rekeying For security purposes, both IKE SAs and IPsec SAs have a lifetime and must be rekeyed when the lifetime expires. An IKEv1 SA lifetime is negotiated. An IKEv2 SA lifetime, in contrast, is configured. If two peers are configured with different lifetimes, the peer with the shorter lifetime always initiates the SA rekeying.
Page 171: Configuring An Ikev2 Profile
Tasks at a glance Remarks (Required.) Configuring an IKEv2 profile (Required.) Configuring an IKEv2 policy If you specify an IKEv2 proposal in an (Optional.) Configuring an IKEv2 proposal IKEv2 policy, you must configure the IKEv2 proposal. Required when either end or both ends Configuring an IKEv2 keychain use the pre-shared key authentication method.
Page 172 Specify a priority number for the IKEv2 profile. To determine the priority of an IKEv2 profile: a. First, the device examines the existence of the match local command. An IKEv2 profile with the match local command configured has a higher priority. b.
Page 173 The AAA authorization feature enables IKEv2 to request authorization attributes, such as the IKEv2 address pool, from AAA. IKEv2 uses the address pool to assign IP addresses to remote users. For more information about AAA authorization, see "Configuring AAA." To configure an IKEv2 profile: Step Command Remarks...
Page 174: Configuring An Ikev2 Policy
By default, DPD is disabled for an 24. (Optional.) Configure IKEv2 profile. The global DPD dpd interval interval [ retry the DPD feature for the settings in system view are used. If seconds ] { on-demand | periodic } IKEv2 profile. DPD is also disabled in system view, the device does not perform DPD.
Page 175: Configuring An Ikev2 Proposal
By default, no VPN instance is specified for IKEv2 policy Specify a VPN instance for match vrf { name vrf-name | any } matching. The IKEv2 policy IKEv2 policy matching. matches all local addresses in the public network. Specify an IKEv2 proposal By default, no IKEv2 proposal is proposal proposal-name for the IKEv2 policy.
Page 176: Configuring An Ikev2 Keychain
aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } * In FIPS mode: encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 } * In non-FIPS mode: integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } By default, an IKEv2 proposal does...
Page 177: Configure Global Ikev2 Parameters
Create an IKEv2 peer and peer name By default, no IKEv2 peers exist. enter IKEv2 peer view. • To configure a host name for the peer: hostname host-name • To configure a host IP address or address range for the peer: By default, no hostname, host IP address { ipv4-address [ address, address range, or identity...
Page 178: Configuring The Ikev2 Nat Keepalive Feature
Before the device sends data, it identifies the time interval for which the last IPsec packet  has been received from the peer. If the time interval exceeds the DPD interval, it sends a DPD message to the peer to detect its liveliness. If the device has no data to send, it never sends DPD messages.
Page 179: Displaying And Maintaining Ikev2
Step Command Remarks ikev2 address-group Configure an IKEv2 IPv4 group-name start-ipv4-address By default, no IKEv2 IPv4 address address pool. end-ipv4-address [ mask | pool exists. mask-length ] ikev2 ipv6-address-group Configure an IKEv2 IPv6 group-name prefix By default, no IKEv2 IPv6 address address pool.
Page 180: New Command: Address
Predefined user roles network-admin Parameters domain domain-name: Specifies the ISP domain used for requesting authorization attributes. The ISP domain name is a case-insensitive string of 1 to 255 characters and must meet the following requirements: • The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).
Page 181: New Command: Authentication-Method
Syntax address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } undo address Default An IKEv2 peer's IP address or IP address range is not specified. Views IKEv2 peer view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the IKEv2 peer.
Page 182 Syntax authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share | rsa-signature } undo authentication-method local undo authentication-method remote { dsa-signature | ecdsa-signature | pre-share | rsa-signature } Default No local or remote identity authentication method is specified. Views IKEv2 profile view Predefined user roles...
Page 183: New Command: Certificate Domain
# Specify the pre-shared key and RSA signatures as the local and remote authentication methods, respectively. [Sysname-ikev2-profile-profile1] authentication local pre-share [Sysname-ikev2-profile-profile1] authentication remote rsa-signature # Specify the PKI domain genl as the PKI domain for obtaining certificates. [Sysname-ikev2-profile-profile1] certificate domain genl # Specify the keychain keychain1.
Page 184: New Command: Config-Exchange
If the local end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for signature generation. If the remote end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for verifying the remote end's certificate. If you do not specify PKI domains, the PKI domains configured in system view will be used.
Page 185: New Command: Description
Usage guidelines The configuration exchange feature enables the local and remote ends to exchange configuration data, such as gateway address, internal IP address, and route. The exchange includes data request and response, and data push and response. The enterprise center can push IP addresses to branches.
Page 186: New Command: Display Ike Statistics
Parameters text: Specifies a description, a case-sensitive string of 1 to 80 characters. Usage guidelines If multiple IKE proposals exist, you can use this command to configure different descriptions for them to distinguish them. Examples # Configure the description test for the IKE proposal 1. <Sysname>...
Page 187: New Command: Display Ikev2 Policy
Invalid hash information: 0 Unsupported attribute: 0 Unsupported certificate type: 0 Invalid certificate authority: 0 Invalid signature: 0 Unsupported exchange type: 0 No available SA: 0 Retransmit timeout: 0 Not enough memory: 0 Enqueue fails: 0 New command: display ikev2 policy Use display ikev2 policy to display the IKEv2 policy configuration.
Page 188: New Command: Display Ikev2 Profile
Table 4 Command output Field Description IKEv2 policy Name of the IKEv2 policy. Priority Priority of the IKEv2 policy. Match local address IPv4 address to which the IKEv2 policy can be applied. Match local address ipv6 IPv6 address to which the IKEv2 policy can be applied. Match VRF VPN instance to which the IKEv2 policy can be applied.
Page 189 Remote authentication methods: pre-share Keychain: Keychain1 Sign certificate domain: Domain1 Verify certificate domain: Domain2 SA duration: 500 seconds DPD: Interval 32 secs, retry-interval 23 secs, periodic Config exchange: request, set accept, set send NAT keepalive: 10 seconds AAA authorization: Domain domain1, username ikev2 Table 5 Command output Field Description...
Page 190: New Command: Display Ikev2 Proposal
Related commands ikev2 profile New command: display ikev2 proposal Use display ikev2 proposal to display the IKEv2 proposal configuration. Syntax display ikev2 proposal [ name | default ] Views Any view Predefined user roles network-admin network-operator Parameters name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters. default: Specifies the default IKEv2 proposal.
Page 191: New Command: Display Ikev2 Sa
Field Description PRF algorithms that the IKEv2 proposal uses. DH group DH groups that the IKEv2 proposal uses. Related commands ikev2 proposal New command: display ikev2 sa Use display ikev2 sa to display the IKEv2 SA information. Syntax display ikev2 sa [ { count | local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ] Views Any view...
Page 192 Examples # Display summary information about all IKEv2 SAs. <Sysname> display ikev2 sa Tunnel ID Local Remote Status -------------------------------------------------------------------- 1.1.1.1/500 1.1.1.2/500 2.2.2.1/500 2.2.2.2/500 Status: IN-NEGO: Negotiating, EST: Established, DEL: Deleting # Display summary IKEv2 SA information for the remote IP address 1.1.1.2. <Sysname>...
Page 193 PRF algorithm: HMAC_MD5 Encryption algorithm: AES-CBC-192 Life duration: 86400 secs Remaining key duration: 85604 secs Diffie-Hellman group: MODP1024/Group2 NAT traversal: Not detected DPD: Interval 20 secs, retry interval 2 secs Transmitting entity: Initiator Local window: 1 Remote window: 1 Local request message ID: 2 Remote request message ID:2 Local next message ID: 0 Remote next message ID: 0...
Page 194 Local window: 1 Remote window: 1 Local request message ID: 2 Remote request message ID: 2 Local next message ID: 0 Remote next message ID: 0 Pushed IP address: 192.168.1.5 Assigned IP address: 192.168.2.24 Table 8 Command output Field Description Tunnel ID ID of the IPsec tunnel to which the IKEv2 SA belongs.
Page 195: New Command: Display Ikev2 Statistics
Field Description If DPD is disabled, this field displays Disabled. Role of the local end in IKEv2 negotiation, initiator or Transmitting entity responder. Local window Window size that the local end uses. Remote window Window size that the remote end uses. Local request message ID ID of the request message that the local end is about to send.
Page 196: New Command: Dh
Temporary failure: 0 No child SA: 0 Unknown other notify: 0 No enough resource: 0 Enqueue error: 0 No IKEv2 SA: 0 Packet error: 0 Other error: 0 Retransmit timeout: 0 DPD detect error: 0 Del child for IPsec message: 0 Del child for deleting IKEv2 SA: 0 Del child for receiving delete message: 0 New command: dh...
Page 197: New Command: Dpd
group19: Uses the 256-bit ECP Diffie-Hellman group. group20: Uses the 384-bit ECP Diffie-Hellman group. Usage guidelines A DH group with a higher group number provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose proper DH groups for your network.
Page 198: New Command: Encryption
on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval. periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval. Usage guidelines DPD is triggered periodically or on-demand.
Page 199: New Command: Hostname
Parameters 3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key. aes-cbc-128: Specifies the AES algorithm in CBC mode, which uses a 128-bit key. aes-cbc-192: Specifies the AES algorithm in CBC mode, which uses a 192-bit key. aes-cbc-256: Specifies the AES algorithm in CBC mode, which uses a 256-bit key.
Page 200: New Command: Identity
Views IKEv2 peer view Predefined user roles network-admin Parameters name: Specifies the host name of the IKEv2 peer, a case-insensitive string of 1 to 253 characters. Usage guidelines Only the initiator can look up an IKEv2 peer by host name in IKEv2 negotiation, and the initiator must use an IPsec policy rather than an IPsec profile.
Page 201: New Command: Identity Local
Parameters ipv4-address: Specifies the IPv4 address of the peer. ipv6 ipv6-address: Specifies the IPv6 address of the peer. fqdn fqdn-name: Specifies the FQDN of the peer. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. email email-string: Specifies the email address of the peer.
Page 202: New Command: Ikev2 Address-Group
Default No local ID is specified. The IP address of the interface to which the IPsec policy is applied is used as the local ID. Views IKEv2 profile view Predefined user roles network-admin Parameters address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID. dn: Uses the DN in the local certificate as the local ID.
Page 203: New Command: Ikev2 Cookie-Challenge
Default No IKEv2 IPv4 address pools exist. Views System view Predefined user roles network-admin Parameters group-name: Specifies an name for the IKEv2 IPv4 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters. start-ipv4-address end-ipv4-address: Specifies an IPv4 address range. The start-ipv4-address argument specifies the start IPv4 address.
Page 204: New Command: Ikev2 Dpd
Views System view Predefined user roles network-admin Parameters number: Specifies the threshold for triggering the cookie challenging feature. The value range for this argument is 0 to 1000 half-open IKE SAs. Usage guidelines When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging mechanism.
Page 205: New Command: Ikev2 Ipv6-Address-Group
retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds. on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval. periodic: Triggers DPD at regular intervals.
Page 206: New Command: Ikev2 Keychain
Predefined user roles network-admin Parameters group-name: Specifies a name for the IKEv2 IPv6 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters. prefix prefix/prefix-len: Specifies an IPv6 prefix in the format of prefix/prefix length. The value range for the prefix-len argument is 1 to 128.
Page 207: New Command: Ikev2 Nat-Keepalive
Parameters keychain-name: Specifies a name for the IKEv2 keychain. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-). Usage guidelines An IKEv2 keychain is required on both ends if either end uses pre-shared key authentication. The pre-shared key configured on both ends must be the same.
Page 208: New Command: Ikev2 Policy
New command: ikev2 policy Use ikev2 policy to create an IKEv2 policy and enter its view, or enter the view of an existing IKEv2 policy. Use undo ikev2 policy to delete an IKEv2 policy. Syntax ikev2 policy policy-name undo ikev2 policy policy-name Default An IKEv2 policy named default exists, which uses the default IKEv2 proposal and matches any local addresses.
Page 209: New Command: Ikev2 Profile
Related commands display ikev2 policy New command: ikev2 profile Use ikev2 profile to create an IKEv2 profile and enter its view, or enter the view of an existing IKEv2 profile. Use undo ikev2 profile to delete an IKEv2 profile. Syntax ikev2 profile profile-name undo ikev2 profile profile-name Default...
Page 210 Syntax ikev2 proposal proposal-name undo ikev2 proposal proposal-name Default An IKEv2 proposal named default exists, which has the lowest priority and uses the following settings: • In non-FIPS mode: Encryption algorithm—AES-CBC-128 and 3DES.  Integrity protection algorithm—HMAC-SHA1 and HMAC-MD5.  PRF algorithm—HMAC-SHA1 and HMAC-MD5.
Page 211: New Command: Inside-Vrf
[Sysname-ikev2-proposal-prop1] authentication-algorithm sha1 [Sysname-ikev2-proposal-prop1] prf sha1 [Sysname-ikev2-proposal-prop1] dh group2 Related commands • encryption-algorithm • integrity • • New command: inside-vrf Use inside-vrf to specify an inside VPN instance. Use undo inside-vrf to restore the default. Syntax inside-vrf vrf-name undo inside-vrf Default No inside VPN instance is specified.
Page 212: New Command: Integrity
[Sysname-ikev2-profile-profile1] inside-vrf vpn1 New command: integrity Use integrity to specify integrity protection algorithms for an IKEv2 proposal. Use undo integrity to restore the default. Syntax In non-FIPS mode: integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } * undo integrity In FIPS mode: integrity { sha1 | sha256 | sha384 | sha512 } *...
Page 213: New Command: Keychain
# Specify HMAC-SHA1 and HMAC-MD5 as the integrity protection algorithms, with HMAC-SHA1 preferred. [Sysname-ikev2-proposal-prop1] integrity sha1 md5 Related commands ikev2 proposal New command: keychain Use keychain to specify an IKEv2 keychain for pre-shared key authentication. Use undo keychain to restore the default. Syntax keychain keychain-name undo keychain...
Page 214: New Command: Match Local (Ikev2 Profile View)
New command: match local (IKEv2 profile view) Use match local to specify a local interface or a local IP address to which an IKEv2 profile can be applied. Use undo match local to remove a local interface or a local IP address to which an IKEv2 profile can be applied.
Page 215: New Command: Match Local Address (Ikev2 Policy View)
<Sysname> system-view [Sysname] ikev2 profile profile1 # Apply the IKEv2 profile profile1 to the interface whose IP address is 2.2.2.2. [Sysname-ikev2-profile-profile1] match local address 2.2.2.2 Related commands match remote New command: match local address (IKEv2 policy view) Use match local address to specify a local interface or a local address that an IKEv2 policy matches.
Page 216: New Command: Match Remote
Related commands • display ikev2 policy • match vrf New command: match remote Use match remote to configure a peer ID that an IKEv2 profile matches. Use undo match remote to delete a peer ID that an IKEv2 profile matches. Syntax match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range...
Page 217: New Command: Match Vrf (Ikev2 Policy View)
• fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKEv2 profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. • email email-string: Uses peer's email address as the peer ID for IKEv2 profile matching. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as sec@abc.com.
Page 218: New Command: Match Vrf (Ikev2 Profile View)
Default No VPN instance is specified, and the IKEv2 policy matches all local IP addresses in the public network. Views IKEv2 policy view Predefined user roles network-admin Parameters name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. any: Specifies the public network and all VPN instances.
Page 219: New Command: Nat-Keepalive
Views IKEv2 profile view Predefined user roles network-admin Parameters name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. any: Specifies the public network and all VPN instances. Usage guidelines If an IKEv2 profile belongs to a VPN instance, only interfaces in the VPN instance can use the IKEv2 profile for IKEv2 negotiation.
Page 220: New Command: Peer
Usage guidelines This command takes effect when the device resides in the private network behind a NAT device. The device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device. The NAT keepalive interval must be shorter than the NAT session lifetime.
Page 221: New Command: Pre-Shared-Key
Examples # Create an IKEv2 keychain named key1 and enter IKEv2 keychain view. <Sysname> system-view [Sysname] ikev2 keychain key1 # Create an IKEv2 peer named peer1. [Sysname-ikev2-keychain-key1] peer peer1 Related commands • address • hostname • identity • ikev2 keychain New command: pre-shared-key Use pre-shared-key to configure a pre-shared key.
Page 222 Usage guidelines If you specify the local or remote keyword, you configure an asymmetric key. If you specify neither the local nor the remote keyword, you configure a symmetric key. To delete a key by using the undo command, you must specify the correct key type. For example, if you configure a key by using the pre-shared-key local command, you cannot delete the key by using the undo pre-shared-key or undo pre-shared-key remote command.
Page 223: New Command: Prf
Related commands • ikev2 keychain • peer New command: prf Use prf to specify pseudo-random function (PRF) algorithms for an IKEv2 proposal. Use undo prf to restore the default. Syntax In non-FIPS mode: prf { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } * undo prf In FIPS mode: prf { sha1 | sha256 | sha384 | sha512 } *...
Page 224: New Command: Priority (Ikev2 Policy View)
# Specify HMAC-SHA1 and HMAC-MD5 as the PRF algorithms, with HMAC-SHA1 preferred. [Sysname-ikev2-proposal-prop1] prf sha1 md5 Related commands • ikev2 proposal • integrity New command: priority (IKEv2 policy view) Use priority to set a priority for an IKEv2 policy. Use undo priority to restore the default. Syntax priority priority undo priority...
Page 225: New Command: Proposal
Syntax priority priority undo priority Default The priority of an IKEv2 profile is 100. Views IKEv2 profile view Predefined user roles network-admin Parameters priority: Specifies the priority of the IKEv2 profile, in the range of 1 to 65535. A smaller number represents a higher priority.
Page 226: New Command: Reset Ikev2 Sa
Usage guidelines You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority. Examples # Specify the IKEv2 proposal proposal1 for the IKEv2 policy policy1. <Sysname> system-view [Sysname] ikev2 policy policy1 [Sysname-ikev2-policy-policy1] proposal proposal1 Related commands •...
Page 227: New Command: Reset Ikev2 Statistics
Usage guidelines Deleting an IKEv2 SA will also delete the child SAs negotiated through the IKEv2 SA. If you do not specify any parameters, this command deletes all IKEv2 SAs and the child SAs negotiated through the IKEv2 SAs. Examples # Display information about IKEv2 SAs.
Page 228: New Command: Sa Duration
New command: sa duration Use sa duration to set the IKEv2 SA lifetime. Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration Default The IKEv2 SA lifetime is 86400 seconds. Views IKEv2 profile view Predefined user roles network-admin Parameters...
Page 229: New Command: Ikev2-Profile
undo esn enable Default ESN is disabled. Views IPsec transform set view Predefined user roles network-admin Parameters both: Specifies IPsec to support both extended sequence number and traditional sequence number. If you do not specify this keyword, IPsec only supports extended sequence number. Usage guidelines The ESN feature extends the sequence number length from 32 bits to 64 bits.
Page 230: New Command: Tfc Enable
Predefined user roles network-admin Parameters profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines The IKEv2 profile specified for an IPsec policy or IPsec policy template defines the parameters used for IKEv2 negotiation. You can specify only one IKEv2 profile for an IPsec policy or IPsec policy template.
Page 231: Modified Command: Ah Authentication-Algorithm
encapsulated by ESP in transport mode and on original IP packets encapsulated by ESP in tunnel mode. Examples # Enable TFC padding for the IPsec policy policy1. <Sysname> system-view [Sysname] ipsec policy policy1 10 isakmp [Sysname-ipsec-policy-isakmp-policy1-10] tfc enable Related commands •...
Page 232: Modified Command: Display Ipsec { Ipv6-Policy | Policy
Modified command: display ipsec { ipv6-policy | policy } Syntax display ipsec { ipv6-policy | policy } [ policy-name [ seq-number ] ] Views Any view Change description The following fields were added to the command output: • Traffic Flow Confidentiality—Whether Traffic Flow Confidentiality (TFC) padding is enabled. •...
Page 233: Modified Command: Display Ipsec Transform-Set
• Traffic Flow Confidentiality enable—Whether Traffic Flow Confidentiality (TFC) padding is enabled. • Inside VRF—VPN instance to which the protected data flow belongs. The following values were added to the Perfect Forward Secrecy field: • dh-group19—256-bit ECP Diffie-Hellman group. • dh-group20—384-bit ECP Diffie-Hellman group.
Page 234: Modified Command: Esp Encryption-Algorithm
esp authentication-algorithm sha1 undo esp authentication-algorithm New syntax In non-FIPS mode: esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } * undo esp authentication-algorithm In FIPS mode: esp authentication-algorithm { sha1 | sha256 | sha384 | sha512 } * undo esp authentication-algorithm Views IPsec transform set view...
Page 235: Modified Command: Pfs
In FIPS mode: esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 }* undo esp encryption-algorithm Views IPsec transform set view Change description The following keywords were added: •...
Page 236: Modified Command: Pre-Shared-Key
pfs dh-group14 undo pfs New syntax In non-FIPS mode: pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 | dh-group24 } undo pfs In FIPS mode: pfs { dh-group14 | dh-group19 | dh-group20 | dh-group24 } undo pfs Views IPsec transform set view...
Page 237: Modified Command: Authentication-Algorithm
Views IKE keychain view Change description After modification, if you do not specify the cipher cipher-key option, you specify a plaintext pre-shared key in interactive mode. The key is a case-sensitive string of 15 to 128 characters, and it must contain uppercase and lowercase letters, digits, and special characters other than the question mark (?).
Page 238: New Feature: Ssl Support For Suite B
New feature: SSL support for Suite B Configuring Suite B in SSL Suite B contains a set of encryption and authentication algorithms that meet high security requirements. In this software version, Suite B is available in SSL. In addition, a new command was added to display the algorithm version number on the device.
Page 239 Use undo ssl version disable enable SSL protocol versions on the device. Syntax In non-FIPS mode: ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable undo ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable In FIPS mode: ssl version { tls1.0 | tls1.1 } * disable undo ssl version { tls1.0 | tls1.1 } * disable Default...
Page 240: New Command: Ssl Renegotiation Disable
[Sysname] ssl version tls1.0 disable New command: ssl renegotiation disable Use ssl renegotiation disable to disable SSL session renegotiation. Use undo ssl renegotiation disable to restore the default. Syntax ssl renegotiation disable undo ssl renegotiation disable Default SSL session renegotiation is enabled. Views System view Predefined user roles...
Page 241: Modified Command: Ciphersuite
version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 } undo version In FIPS mode: version { tls1.0 | tls1.1 | tls1.2 } undo version Views SSL client policy view Change description The following keywords were added: • tls1.1: Specifies TLS 1.0 for the SSL client policy. •...
Page 242 undo ciphersuite In FIPS mode: cipher { rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha256 ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_128_gcm_sha256 ecdhe_rsa_aes_256_gcm_sha384 ecdhe_ecdsa_aes_128_cbc_sha256 ecdhe_ecdsa_aes_256_cbc_sha384 ecdhe_ecdsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_256_gcm_sha384 } * undo ciphersuite Views SSL server policy view Change description The following keywords were added: • rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit AES CBC , and the MAC algorithm SHA256.
Page 243: Modified Command: Prefer-Cipher
Modified command: prefer-cipher Old syntax In non-FIPS mode: prefer-cipher dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } undo prefer-cipher In FIPS mode: prefer-cipher dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha } undo prefer-cipher New syntax In non-FIPS mode:...
Page 244: New Feature: Fips Support For Suit B
• rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit AES CBC , and the MAC algorithm SHA256. • rsa_aes_256_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA256. •...
Page 245: Command Reference
Command reference New command: fips rng random size filename Use fips rng random size filename to generate a random number and save it to a file. Syntax fips rng random size random-size filename filename Views Probe view Predefined user roles network-admin Parameters random-size: Specifies the random number size in the range of 1 to 1000000 bytes.
Page 246: New Command: Fips Rng Entropy Size Filename
round: Specifies the number of random number generations, in the range of 3 to 10. Usage guidelines Use this command in FIPS mode to calculate the average rate at which random numbers are generated. Examples # Generate five 100000-byte random numbers and calculate the average rate at which the random numbers are generated.
Page 247: New Command: Fips Rng Entropy Size Round Rate-Statistics
New command: fips rng entropy size round rate-statistics Use fips rng entropy size round rate-statistics to calculate the average rate at which random number entropies are generated. Syntax fips rng entropy size entropy-size round round rate-statistics Views Probe view Predefined user roles network-admin Parameters entropy-size: Specifies the random number entropy size in the range of 1 to 1000000 bytes.
Page 248: New Command: Fips Algorithm Verify Param
Usage guidelines Use this command in FIPS mode to derive a key for the third-party to determine whether the key meets the CC/FIPS authentication requirements. Examples # Derive an ikev1 pre-shared key from an import file named ikev1_psk.req and save the key to an export file named ikev1_psk.rsp.
Page 249: New Feature: Ssh Support For Suite B
• Random number generator (RNG). • GCM. • GMAC. New feature: SSH support for Suite B Configuring SSH based on Suite B algorithms Suite B contains a set of encryption and authentication algorithms that meet high security requirements. Table 2 lists all algorithms in Suite B.
Page 250: Establishing A Connection To An Stelnet Server Based On Suite B
Establishing a connection to an Stelnet server based on Suite B Task Command Remarks • Establish a connection to an IPv4 Stelnet server based on Suite B: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source {...
Page 251: Establishing A Connection To An Scp Server Based On Suite B
Establishing a connection to an SCP server based on Suite B Task Command Remarks • Establish a connection to an IPv4 SCP server based on Suite B: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain...
Page 252 Step Command Remarks dh-group14-sha1 | dh-group-exchange-sha1, ecdh-sha2-nistp256 | dh-group14-sha1, and ecdh-sha2-nistp384 } * dh-group1-sha1 in descending • order of priority for algorithm In FIPS mode: negotiation. ssh2 algorithm key-exchange { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } * Specifying public key algorithms for SSH2 Step Command Remarks...
Page 253: Command Reference
Step Command Remarks | sha1-96 | sha2-256 | sha2-512 } * Command reference New command: display ssh2 algorithm Use display ssh2 algorithm to display algorithms used by SSH2 in the algorithm negotiation stage. Syntax display ssh2 algorithm Views Any view Predefined user roles network-admin network-operator...
Page 254: New Command: Ssh Server Pki-Domain
• ssh2 algorithm mac • ssh2 algorithm public-key New command: ssh server pki-domain Use ssh server pki-domain to specify a PKI domain for the SSH server. Use undo ssh server pki-domain to delete the PKI domain of the SSH server. Syntax ssh server pki-domain domain-name undo ssh server pki-domain...
Page 255 Syntax scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ipv6 ipv6-address } ] * Views User view...
Page 256 Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding the characters listed in Table prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client.
Page 257: New Command: Scp Suite-B
<Sysname> scp ipv6 2000::1 get abc.txt suite-b 192-bit pki-domain clientpkidomain server-pki-domain serverpkidomain New command: scp suite-b Use scp suite-b to establish a connection to an SCP server based on Suite B algorithms and transfer files with the server. Syntax scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ip ip-address } ] *...
Page 258 Table 7 Invalid characters for a PKI domain name Character name Symbol Character name Symbol Tilde Asterisk Left angle bracket < Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding the characters listed in Table...
Page 259: New Command: Sftp Ipv6 Suite-B
New command: sftp ipv6 suite-b Use sftp ipv6 suite-b to establish a connection to an IPv6 SFTP server based on Suite B algorithms and enter SFTP client view. Syntax sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ -i interface-type interface-number ] [ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type interface-number | ipv6 ipv6-address } ] *...
Page 260: New Command: Sftp Suite-B
Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding the characters listed in Table prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client.
Page 261 Syntax sftp server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type interface-number | ip ip-address } ] * Views User view Predefined user roles...
Page 262: New Command: Ssh2 Ipv6 Suite-B
dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet. source: Specifies a source IP address or source interface for the SFTP packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of SFTP packets.
Page 263 Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
Page 264: New Command: Ssh2 Suite-B
For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have entered other characters or performed operations in a line, enter the escape sequence in the next line. HPE recommends that you use the default escape character (~). Do not use any character in SSH usernames as the escape character.
Page 265 Predefined user roles network-admin Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
Page 266: New Command: Ssh2 Algorithm Cipher
For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have entered other characters or performed operations in a line, enter the escape sequence in the next line. HPE recommends that you use the default escape character (~). Do not use any character in SSH usernames as the escape character.
Page 267 In FIPS mode: ssh2 algorithm cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } * undo ssh2 algorithm cipher Default SSH2 uses the encryption algorithms aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm, aes256-gcm, aes128-cbc, 3des-cbc, aes256-cbc, and des-cbc in descending order of priority for algorithm negotiation.
Page 268: New Command: Ssh2 Algorithm Key-Exchange
New command: ssh2 algorithm key-exchange Use ssh2 algorithm key-exchange to specify key exchange algorithms for SSH2. Use undo ssh2 algorithm key-exchange to restore the default. Syntax In non-FIPS mode: ssh2 algorithm key-exchange dh-group-exchange-sha1 dh-group1-sha1 dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } * undo ssh2 algorithm key-exchange In FIPS mode: ssh2 algorithm key-exchange { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 }...
Page 269: New Command: Ssh2 Algorithm Mac
Related commands • display ssh2 algorithm • ssh2 algorithm cipher • ssh2 algorithm mac • ssh2 algorithm public-key New command: ssh2 algorithm mac Use ssh2 algorithm mac to specify MAC algorithms for SSH2. Use undo ssh2 algorithm mac to restore the default. Syntax In non-FIPS mode: ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } *...
Page 270: New Command: Ssh2 Algorithm Public-Key
Examples # Specify the algorithm md5 as the MAC algorithm for SSH2. <Sysname> system-view [Sysname] ssh2 algorithm mac md5 Related commands • display ssh2 algorithm • ssh2 algorithm cipher • ssh2 algorithm key-exchange • ssh2 algorithm public-key New command: ssh2 algorithm public-key Use ssh2 algorithm public-key to specify public key algorithms for SSH2.
Page 271: Modified Command: Display Ssh Server
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp384. Usage guidelines If you specify the public key algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The algorithm specified earlier has a higher priority during negotiation. Examples # Specify the algorithm dsa as the public key algorithm for SSH2. <Sysname>...
Page 272: Modified Command: Scp
New syntax In non-FIPS mode: ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } [ assign { pki-domain domain-name | publickey keyname } ] } undo ssh user username In FIPS mode: ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type...
Page 273 scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc |...
Page 274 Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe • Keywords for specifying the publickey algorithms used in publickey authentication: ecdsa: Specifies the public key algorithm ecdsa.  x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm  x509v3-ecdsa-sha2-nistp256. x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm ...
Page 275: Modified Command: Scp Ipv6
The des keyword was changed to des-cbc.  The default settings for the following algorithms were changed: • For the preferred client-to-server encryption algorithm prefer-ctos-cipher: Before modification: The default is aes128.  After modification: The default is aes128-ctr.  • For the preferred client-to-server HMAC algorithm prefer-ctos-hmac: Before modification: The default is sha1.
Page 276 { sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * New syntax In non-FIPS mode: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc |...
Page 277 Character name Symbol Character name Symbol Tilde Asterisk Left angle bracket < Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe • Keywords for specifying the publickey algorithms used in publickey authentication: ecdsa: Specifies the public key algorithm ecdsa. ...
Page 278: Modified Command: Sftp
• Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher: The 3des keyword was changed to 3des-cbc.  The aes128 keyword was changed to aes128-cbc.  The aes256 keyword was changed to aes256-cbc.  The des keyword was changed to des-cbc. ...
Page 279 sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ip ip-address } ] * New syntax...
Page 280 The PKI domain name cannot contain characters in the following table: Character name Symbol Character name Symbol Tilde Asterisk Left angle bracket < Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe • Keywords for specifying the publickey algorithms used in publickey authentication: ecdsa: Specifies the public key algorithm ecdsa.
Page 281: Modified Command: Sftp Ipv6
• Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher: The 3des keyword was changed to 3des-cbc.  The aes128 keyword was changed to aes128-cbc.  The aes256 keyword was changed to aes256-cbc.  The des keyword was changed to des-cbc. ...
Page 282 sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * New syntax...
Page 283 case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate. The PKI domain name cannot contain characters in the following table: Character name Symbol Character name...
Page 284: Modified Command: Ssh2
The dh-group1 keyword was changed to dh-group1-sha1.  The dh-group14 keyword was changed to dh-group14-sha1.  • Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher: The 3des keyword was changed to 3des-cbc.  The aes128 keyword was changed to aes128-cbc. ...
Page 285 In FIPS mode: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ escape character | publickey keyname | source { interface interface-type interface-number | ip ip-address } ] * New syntax...
Page 286 case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate. The PKI domain name cannot contain characters in the following table: Character name Symbol Character name...
Page 287: Modified Command: Ssh2 Ipv6
The dh-group1 keyword was changed to dh-group1-sha1.  The dh-group14 keyword was changed to dh-group14-sha1.  • Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher: The 3des keyword was changed to 3des-cbc.  The aes128 keyword was changed to aes128-cbc. ...
Page 288 In FIPS mode: ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ escape character | publickey keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * New syntax...
Page 289 server-pki-domain domain-name: Specifies the PKI domain for verifying the server's  certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate. The PKI domain name cannot contain characters in the following table: Character name Symbol...
Page 290: New Command: Fips Kdf Ssh
• Keywords for the preferred key exchange algorithm prefer-kex: The dh-group-exchange keyword was changed to dh-group-exchange-sha1.  The dh-group1 keyword was changed to dh-group1-sha1.  The dh-group14 keyword was changed to dh-group14-sha1.  • Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher: The 3des keyword was changed to 3des-cbc.
Page 291: Peer Group
Predefined user roles network-admin Parameters import single-request-file: Specifies the name of the single request file generated by CAVS. export validation-file: Specifies a name for the validation file to be generated. Usage guidelines SSH gets parameters from the single request file and sends them to the key derivation module. After the key derivation module returns the calculation result, SSH stores the calculation result in the validation file.
Page 292: Command Reference
Command reference peer ignore-first-as Use peer ignore-first-as to configure BGP to ignore the first AS number of EBGP route updates for a peer or peer group. Use undo peer ignore-first-as to restore the default. Syntax peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } ignore-first-as undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } ignore-first-as Default...
Page 293: Feature Change Description
Examples # In BGP instance view, configure BGP to ignore the first AS number of EBGP route updates for the peer group test. <Sysname> system-view [Sysname] bgp 100 [Sysname-bgp-default] peer test ignore-first-as Modified feature: Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces Feature change description Layer 3 Ethernet subinterfaces can be assigned to Layer 3 aggregation groups.
Page 294: Subinterfaces
Step Command Remarks Enter system view. system-view By default, the system LACP priority is 32768. Set the system LACP lacp system-priority Changing the system LACP priority. system-priority priority might affect the aggregation states of the ports in the dynamic aggregation group. When you create a Layer 3 Create a Layer 3 aggregate aggregate interface, the system...
Page 295: Command Changes
Command changes Modified command: lacp mode Syntax lacp mode passive Views Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view Change description Layer 3 Ethernet subinterface view was added. Modified command: lacp period short Syntax lacp period short Views...
Page 296: Modified Feature: Changing The Maximum Number Of Fib Table Entries
Change description Layer 3 Ethernet subinterface view was added. A Layer 3 Ethernet subinterface can belong to only one aggregation group. You cannot create subinterfaces on a Layer 3 Ethernet interface that is in an aggregation group. You cannot assign a Layer 3 Ethernet interface that contains subinterfaces to an aggregation group. When you assign a Layer 3 Ethernet subinterface to an aggregation group, follow these restrictions and guidelines: •...
Page 297: Modified Feature: Enabling Cwmp
Modified feature: Enabling CWMP Feature change description The default CWMP status was changed from disabled to enabled. To enable CWMP: Step Command Remarks Enter system view. system-view Enter CWMP view. cwmp Enable CWMP. cwmp enable By default, CWMP is enabled. Command changes Modified command: cwmp enable Syntax...
Page 298: New Feature: Ike
New feature: IKE Feature change description IKEv2 was added. For more information about IKEv2 configuration guide, see the following HPE FlexNetwork MSR Routers Security Configuration Guide(V7). Command changes New command: IKEv2 command For more information about IKEv2 commands, see the following HPE FlexNetwork MSR Routers Security Command Reference(V7).
Page 299: New Command: Esn Enable
ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } * undo ah authentication-algorithm In FIPS mode: ah authentication-algorithm { sha1 | sha256 | sha384 | sha512 } * undo ah authentication-algorithm Views IPsec transform set view Change description The following keywords were added:...
Page 300: Modified Command: Esp Authentication-Algorithm
Usage guidelines The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents the sequence number space from being exhausted when large volumes of data are transmitted at high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does not need to be renegotiated.
Page 301: Modified Command: Esp Encryption-Algorithm
• sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key. This keyword is available only for IKEv2. • sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key. This keyword is available only for IKEv2. • sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key. This keyword is available only for IKEv2.
Page 302: Modified Command: Pfs
Views IPsec transform set view Change description The following keywords were added: • aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key. This keyword is available only for IKEv2. • aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key. This keyword is available only for IKEv2.
Page 303: New Command: Tfc Enable
pfs dh-group14 undo pfs New syntax In non-FIPS mode: pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 | dh-group19 | dh-group20 } undo pfs In FIPS mode: pfs { dh-group14 | dh-group19 | dh-group20 } undo pfs Views IPsec transform set view Change description...
Page 304: Modified Command: Public-Key Local Create
encapsulated by ESP in transport mode and on original IP packets encapsulated by ESP in tunnel mode. Examples # Enable TFC padding for the IPsec policy policy1. <Sysname> system-view [Sysname] ipsec policy policy1 10 isakmp [Sysname-ipsec-policy-isakmp-policy1-10] tfc enable Related commands •...
Page 305: Release 0304P12
• secp192r1: Uses the secp192r1 curve to generate the key pair. • secp256r1: Uses the secp256r1 curve to generate the key pair. • secp384r1: Uses the secp384r1 curve to generate the key pair. Release 0304P12 This release has the following changes: New feature: Including vendor information in PPP accounting requests New feature: BFD for an aggregation group Modified feature: SSH username...
Page 306: New Feature: Bfd For An Aggregation Group
Ethernet subinterface view Predefined user roles network-admin Parameters adsl-forum: Specifies the ADSL forum vendor information. cn-telecom: Specifies the China Telecom vendor information. Examples # Include China Telecom vendor information in the PPP accounting requests. <Sysname> system-view [Sysname] interface gigabitethernet 2/0/1 [Sysname–GigabitEthernet2/0/1] pppoe-server account-vendor cn-telecom New feature: BFD for an aggregation group Configuring BFD for an aggregation group...
Page 307: Configuration Procedure
BFD sessions for link aggregation do not support the echo packet mode and the Demand mode. • HPE recommends not configuring other protocols to collaborate with BFD on a BFD-enabled aggregate interface. • Make sure the number of member ports in a BFD-enabled aggregation group is not larger than the number of BFD sessions supported by the device.
Page 308: Modified Feature: Ssh Username
BFD sessions for link aggregation do not support the echo packet mode and the Demand mode. HPE recommends not configuring other protocols to collaborate with BFD on a BFD-enabled aggregate interface. Make sure the number of member ports in a BFD-enabled aggregation group is not larger than the number of BFD sessions supported by the device.
Page 309: Command Changes
Command changes Modified command: ssh user Syntax In non-FIPS mode: ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } assign { pki-domain domain-name | publickey keyname } } undo ssh user username In FIPS mode: ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password |...
Page 310: Command Changes
Command changes Modified command: isis timer hello Syntax isis timer hello seconds [ level-1 | level-2 ] undo isis timer hello [ level-1 | level-2 ] Views Interface view Change description The value range for the seconds argument was changed to 1 to 255 seconds. Modified feature: MP-group interface numbering Feature change description In this release, the numbering for MP-group interfaces is changed.
Page 311: Modified Command: Ppp Mp Mp-Group
Change description MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format. Modified command: ppp mp mp-group Syntax ppp mp mp-group mp-number Views Interface view Change description MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format. Modified command: reset counters interface mp-group Syntax reset counters interface [ mp-group [ interface-number ] ] Views...
Page 312: Modified Feature: Esp Encryption Algorithms
Use undo sip log enable to disable MSC logging. Syntax sip log enable undo sip log enable Default MSC logging is disabled. Views Voice view Predefined user roles network-admin Usage guidelines This command enables the router to generate MSC logs and send the logs to the information center. The information center outputs the logs to a destination according to an output rule.
Page 313: Release 0304P02
New Syntax High encryption (in non-FIPS mode): esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null | sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 | sm4-cbc } * Views IPsec transform set view Change description The sm4-cbc keyword was added to support the CBC-mode SM4 algorithm, which uses a 128-bit key.
Page 314: Command Reference
Command reference ppp lcp imsi accept Use ppp lcp imsi accept to enable the client to accept the IMSI binding authentication requests from the LNS. Use undo ppp lcp imsi accept to restore the default. Syntax ppp lcp imsi accept undo ppp lcp imsi accept Default The client declines the IMSI binding authentication requests from the LNS.
Page 315: Ppp Lcp Imsi String
Views Interface view Predefined user roles network-admin Examples # Enable the LNS to initiate IMSI binding authentication requests. <Sysname> system-view [Sysname] interface virtual-template 1 [Sysname-Virtual-Template1] ppp lcp imsi request Related commands • ppp lcp imsi accept • ppp lcp imsi string ppp lcp imsi string Use ppp lcp imsi string imsi-info to configure the IMSI information on the client.
Page 316: Ppp Lcp Sn Accept
ppp lcp sn accept Use ppp lcp sn accept to enable the client to accept the SN binding authentication requests from the LNS. Use undo ppp lcp sn accept to restore the default. Syntax ppp lcp sn accept undo ppp lcp sn accept Default The client declines the SN binding authentication requests from the LNS.
Page 317: Ppp Lcp Sn String
Predefined user roles network-admin Examples # Enable the LNS to initiate SN binding authentication requests. <Sysname> system-view [Sysname] interface virtual-template 1 [Sysname-Virtual-Template1] ppp lcp imsi request Related commands • ppp lcp sn accept • ppp lcp sn string ppp lcp sn string Use ppp lcp sn string sn-info to configure the SN information on the client.
Page 318: Ppp User Accept-Format Imsi-Sn Split
ppp user accept-format imsi-sn split Use ppp user accept-format imsi-sn split splitchart to configure the separator for the received authentication information. Use undo ppp user accept-format to restore the default. Syntax ppp user accept-format imsi-sn split splitchart undo ppp user accept-format Default No separator is configured for the received authentication information.
Page 319: Ppp User Attach-Format Imsi-Sn Split
ppp user attach-format imsi-sn split Use ppp user attach-format imsi-sn split splitchart to configure the separator for the sent authentication information. Use undo ppp user attach-format to restore the default. Syntax ppp user attach-format imsi-sn split splitchart undo ppp user attach-format Default No separator is configured for the sent authentication information.
Page 320: New Feature: Specifying A Band For A 4G Modem
Use undo ppp user replace to restore the default. Syntax ppp user replace { imsi | sn } undo ppp user replace Default The client username is used for authentication. Views Interface view Predefined user roles network-admin Examples # Replace the client username with the IMSI information for authentication. <Sysname>...
Page 321: New Feature: Cfd
The router supports the CFD feature. New feature: Using tunnel interfaces as OpenFlow ports The MSR1000 routers support using tunnel interfaces as OpenFlow ports. New feature: NETCONF support for ACL filtering The feature enables the device to use an ACL to filter NETCONF over SOAP traffic.
Page 322: Netconf Soap Https Acl
Syntax netconf soap http acl { acl-number | name acl-name } undo netconf soap http acl Default No ACL is applied to NETCONF over SOAP over HTTP traffic. Views System view Predefined user roles network-admin Parameters acl-number: Specifies an ACL by its number in the range of 2000 to 2999. name acl-name: Specifies an ACL by its name.
Page 323: New Feature: Specifying A Backup Traffic Processing Unit
New feature: Specifying a backup traffic processing unit Specifying a backup traffic processing unit This release added support for specifying a backup traffic unit for an interface. Command reference service standby For more information about this command, see HPE FlexNetwork MSR Command References(V7).
Page 324: New Feature: Waas
MSR3000. • MSR4000. Command reference For more information about WAAS commands, see HPE FlexNetwork MSR Routers Layer 3 - IP Services Command Reference(V7). New feature: Support for the MKI field in SRTP or SRTCP packets This feature enables the router to add the MKI field to outgoing SRTP or SRTCP packets. You can set the length of the MKI field.
Page 325: New Feature: Sip Domain Name
Predefined user roles network-admin Parameters mki-length: Specifies the length of the MKI field, in the range of 1 to 128 bits. Usage guidelines This command takes effect only when SRTP is the media stream protocol for SIP calls. To specify SRTP as the medial stream protocol for SIP calls, use the srtp command.
Page 326: New Feature: E&M Logging
Parameters domain-name: Specifies the SIP domain name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, underscore (_), hyphen (-), and dot (.). Examples # Populate the CONTACT header field of outgoing SIP packets with the SIP domain name abc.com. <Sysname>...
Page 327: Modified Feature: Setting The Global Link-Aggregation Load-Sharing Mode
Modified feature: Setting the global link-aggregation load-sharing mode Feature change description The bandwidth-usage keyword was added to the link-aggregation global load-sharing mode command. You can set the global load-sharing mode to load share traffic based on bandwidth usage. Command changes Modified command: link-aggregation global load-sharing mode Old syntax link-aggregation...
Page 328: New Feature: Setting The Rtc Version
New feature: VPLS New feature: Multicast VPN support for inter-AS option B Modified feature: 802.1X redirect URL Modified feature: Displaying information about NTP servers from the reference source to the primary NTP server Modified feature: Saving, rolling back, and loading the configuration Modified feature: Displaying information about SSH users Removed feature: Displaying fabric utilization New feature: Setting the RTC version...
Page 329: New Feature: Setting The Maximum Size Of Advertisement Files
Views System view Predefined user roles network-admin Parameters V3: Sets the RTC version to Version 3. V5: Sets the RTC version to Version 5. Usage guidelines Comware V5/V7-based routers support both RTC Version 3 and Version 5. Comware V3-based routers support only RTC Version 3. For a Comware V5/V7-based router to communicate with a Comware V3-based, set the RTC version to Version 3 on the Comware V5/V7-based router.
Page 330: Command Reference
See HPE FlexNetwork MSR Router Virtual Technologies Command Reference(V7). New feature: Frame Relay Configuring Frame Relay See HPE FlexNetwork MSR Routers Layer 2 - WAN Configuration Guide(V7). Command reference See HPE FlexNetwork MSR Routers Layer 2 - WAN Command Reference(V7).
Page 331: New Feature: Multicast Vpn Support For Inter-As Option B
New feature: Multicast VPN support for inter-AS option B Configuring Multicast VPN support for inter-AS option B See HPE FlexNetwork MSR Routers IP Multicast Configuration Guide(V7). Command reference See HPE FlexNetwork MSR Routers IP Multicast Command Reference(V7). Modified feature: 802.1X redirect URL...
Page 332: Modified Feature: Displaying Information About Ntp Servers From The Reference
Modified feature: Displaying information about NTP servers from the reference source to the primary NTP server Feature change description The source interface-type interface-number option was added to the display ntp-service trace command. Command changes Modified command: display ntp-service trace Old syntax dot1x ead-assistant url url-string New syntax display ntp-service trace [ source interface-type interface-number ]...
Page 333: Command Changes
• Multiple users are allowed to simultaneously perform the save, rollback, or load operation, but the result returned to each user might be inconsistent with the user request. Do not perform the save, rollback, or load operation when a lot of users are performing the operation. Command changes None Modified feature: Displaying information about SSH...
Page 334: Removed Command
ESS 0302P06 This release has the following changes: New feature: Object policies New feature: IPHC See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command References(V7). New feature: Support of PPPoE server for IPv6 See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command References(V7).
Page 335 New feature: ARP PnP See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command References(V7). New feature: Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command References(V7).
Page 336: New Feature: Object Policies
A zone pair has a source security zone and a destination security zone. ASPF uses zone pairs to identify the data flows to be examined. ASPF examines only received first data packets. Command reference See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command References(V7). New feature: IPHC Configuring IPHC The device supports PPP IPHC and frame relay IPHC.
Page 337: New Feature: Support Of Pppoe Server For Ipv6
On IPv6 networks, PPP negotiates only the IPv6 interface identifier instead of the IPv6 address and IPv6 DNS server address during IPv6CP negotiation. Command reference See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command References(V7). New feature: QSIG tunneling over SIP-T...
Page 338: New Feature: Bgp L2Vpn Support For Nsr
The active BGP process backs up BGP peers and routing information to the standby BGP process only when BGP NSR is enabled. Command reference See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command References(V7). New feature: BGP support for dynamic peers...
Page 339: Ipv6 Hosts
If you configure both export destinations, the flow logs are exported to the information center and are not exported to the log host. Command reference See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command References(V7). New feature: QoS soft forwarding Configuring QoS soft forwarding •...
Page 340: New Feature: Filtering By Application Layer Protocol Status
ASPF inspection supports protocol status validity check for application protocols of DNS, FTP, H323, HTTP, SCCP, SIP, and SMTP. ASPF drops packets with invalid protocol status. Command reference See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command References(V7). New feature: ADVPN support for multicast forwarding...
Page 341: New Feature: Port Security
802.1X SmartOn—This feature was developed to support the NEC 802.1X client. The device performs SmartOn authentication before 802.1X authentication. If a user fails SmartOn authentication, the device stops 802.1X authentication for the user. Command reference See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command References(V7).
Page 342: New Feature: Customizable Ivr
If a subscriber dials an IVR access number, the IVR system plays the prerecorded voice prompts to direct the subscriber about how to proceed. Command reference See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command References(V7). New feature: SRST Configuring SRST SRST provides call handling for a branch office when the branch office loses connectivity to the central voice server or the WAN connection is down.
Page 343: Command Reference
Command reference See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command References(V7). New feature: Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation Configuring Support of MFR and FR for L2VPN, FR QoS, and FR...
Page 344: New Feature: Sms-Based Automatic Configuration
SMS gateway. This feature can be used when the devices to be configured are widely distributed and there are 3G or 4G networks available for wireless communication. Command reference See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command References(V7). New feature: ARP attack protection...
Page 345: Configuration Guidelines
Configuration guidelines When you enable SIP support for VRF, follow these guidelines: • You cannot associate a VPN instance with SIP or remove the association when a SIP service such as calling, registration, subscription, or the keepalive function is being used. •...
Page 346: Ess 0102
Parameters vpn-instance-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN instance to associate with SIP must be already created. You cannot associate a VPN instance or remove the association when a SIP service is being used. Examples # Associate the VPN instance vpn-voice with SIP.
Page 347: Command Reference
The device support portal 2.0 and portal 3.0. Command reference See HPE FlexNetwork MSR Command References(V7). New feature: MSDP Configuring MSDP MSDP is an inter-domain multicast solution that addresses the interconnection of PIM-SM domains.
Page 348: Command Reference
A PD can also use a different power source from the PSE at the same time for power redundancy. For more information about configuring PoE, see "PoE Configuration Guide" in HPE FlexNetwork MSR Configuration Guides(V7). Command reference...
Page 349: New Feature: Copp Software Forwarding Feature
New feature: CoPP software forwarding feature Configuring CoPP If the rate of packets sent to the control plane exceeds the processing capabilities of the control plane (for example, when the device is suffering DoS attacks), the normal packets sent to the control plane cannot be promptly processed, thus affecting the normal operation of protocols.
Page 350: Control-Plane Management
[Sysname] control-plane slot 3 [Sysname-cp-slot3] control-plane management IMPORTANT: A QoS policy applied to the management interface control plane takes effect on the packets sent from the management interface to the control plane. Use control-plane management to enter management interface control plane view. Syntax control-plane management Views...
Page 351: New Feature: Configuring Mpls Ldp Frr
Parameters policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters. inbound: Applies the QoS policy to the incoming traffic of an interface, a control plane, or a management interface control plane. outbound: Applies the QoS policy to the outgoing traffic of an interface. Usage guidelines To successfully apply a QoS policy to an interface, make sure the total bandwidth assigned to AF and EF queues in the QoS policy is smaller than the available bandwidth of the interface.
Page 352: Command Reference
If a new LSP is not established after IGP route convergence, traffic forwarding might be interrupted. Therefore, HPE recommends that you enable LDP IGP synchronization to work with LDP FRR to reduce the traffic interruption time.
Page 353: Igp Sync Delay On-Restart
Usage guidelines LDP convergence on a link is completed when the followings occur: • The local device establishes an LDP session to at least one peer, and the LDP session is already in Operation state. • The local device has distributed the label mappings to at least one peer. MPLS traffic forwarding might be interrupted in one of the following scenarios: •...
Page 354: Mpls Ldp Igp Sync Disable
Views LDP view Predefined user roles network-admin Parameters time: Specifies the maximum notification delay in the range of 60 to 600 seconds. Usage guidelines After LDP restarts or an active/standby switchover occurs, LDP convergence begins after a period of time. If LDP immediately notifies IGP of all the current LDP IGP synchronization status, and updates the status after LDP convergence, IGP might frequently process the status, and the cost might increase.
Page 355: New Feature: Enhanced Routing Features
Views Interface view Predefined user roles network-admin Usage guidelines After you enable LDP IGP synchronization for IGP, for example, an OSPF area or an IS-IS process, LDP IGP synchronization is enabled on the OSPF interfaces and IS-IS interfaces. To disable LDP IGP synchronization on an interface, execute the mpls ldp igp sync disable command on that interface.
Page 356: Ip Route-Static Fast-Reroute Auto
Views RIB IPv4 address family view, RIB IPv6 address family view Predefined user roles network-admin Examples # Enable NSR for the RIB IPv4 address family. <Sysname> system-view [Sysname] rib [Sysname-rib] address-family ipv4 [Sysname-rib-ipv4] non-stop-routing ip route-static fast-reroute auto Use ip route-static fast-reroute auto to configure static route FRR to automatically select a backup next hop.
Page 357 undo import-route protocol [ process-id | all-processes ] Default RIP does not redistribute routes from any other routing protocol. Views RIP view Predefined user roles network-admin Parameters protocol: Specifies a routing protocol from which RIP redistributes routes. It can be bgp, direct, isis, ospf, rip, or static.
Page 358: Import-Route (Ospf View)
<Sysname> system-view [Sysname] rip 1 [Sysname-rip-1] import-route static cost 4 Related commands default cost import-route (OSPF view) Use import-route to redistribute AS-external routes from another routing protocol. Use undo import-route to disable route redistribution from another routing protocol. Syntax import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost | nssa-only | route-policy route-policy-name | tag tag | type type ] * undo import-route protocol [ process-id | all-processes ] Default...
Page 359 FULL state neighbors exist in the backbone area, the P-bit of Type-7 LSAs originated by the router is set to 0. This keyword applies to NSSA routers. route-policy route-policy-name: Specifies a routing policy to filter redistributed routes. The route-policy-name argument is a case-sensitive string of 1 to 63 characters. tag tag: Specifies a tag for marking external LSAs, in the range of 0 to 4294967295.
Page 360: Import-Route (Is-Is View)
import-route (IS-IS view) Use import-route to redistribute routes from another routing protocol or another IS-IS process. Use undo import-route to remove the redistribution. Syntax import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost | cost-type { external | internal } | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name | tag tag ] * undo import-route protocol [ process-id | all-processes ] Default...
Page 361: Import-Route (Bgp View)
by default. The keywords are available only when the cost type is narrow, narrow-compatible, or compatible. level-1: Redistributes routes into the Level-1 routing table. level-1-2: Redistributes routes into both Level-1 and Level-2 routing tables. level-2: Redistributes routes into the Level-2 routing table. If no level is specified, the routes are redistributed into the Level-2 routing table by default.
Page 362 Syntax In BGP IPv4 unicast address family view/BGP-VPN IPv4 unicast address family view: import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy route-policy-name ] * ] undo import-route protocol [ process-id | all-processes ] In BGP IPv6 unicast address family view/BGP-VPN IPv6 unicast address family view: import-route protocol [...
Page 363 Usage guidelines The import-route command cannot redistribute default IGP routes. To redistribute default IGP routes, use the default-route imported command together with the import-route command. Only active routes can be redistributed. You can use the display ip routing-table protocol or display ipv6 routing-table protocol command to view route state information.
Page 364: Import-Route (Ripng View)
import-route (RIPng view) Use import-route to redistribute routes from another routing protocol. Use undo import-route to disable route redistribution. Syntax import-route protocol [ process-id ] [ allow-ibgp ] [ allow-direct | cost cost | route-policy route-policy-name ] * undo import-route protocol [ process-id ] Default RIPng does not redistribute routes from another routing protocol.
Page 365: Import-Route (Ospfv3 View)
<Sysname> system-view [Sysname] ripng 100 [Sysname-ripng-100] import-route isisv6 7 cost 7 import-route (OSPFv3 view) Use import-route to redistribute routes. Use undo import-route to disable route redistribution. Syntax import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost | nssa-only | route-policy route-policy-name | tag tag | type type ] * undo import-route protocol [ process-id | all-processes ] Default...
Page 366: Ipv6 Import-Route (Ipv6 Is-Is View)
route-policy route-policy-name: Specifies a routing policy to filter redistributed routes. The route-policy-name argument is a case-sensitive string of 1 to 63 characters. tag tag: Specifies a tag for marking external LSAs, in the range of 0 to 4294967295. If this option is not specified, no tag is contained in advertised LSAs by default.
Page 367 Syntax ipv6 import-route protocol [ process-id ] [ allow-ibgp ] [ allow-direct | cost cost | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name| tag tag ] * undo ipv6 import-route protocol [ process-id ] Default IPv6 does not redistribute routes from any other routing protocol. Views IS-IS view Predefined user roles...
Page 368: New Feature: Python
Python scripts. You can use a Python script to configure the system automatically. To use Python 2.7 commands and the APIs, you must enter the Python shell. Command reference See HPE FlexNetwork MSR Command References(V7). New feature: ATM Configuring ATM Asynchronous Transfer Mode (ATM) is a technology based on packet transmission mode while incorporating the high-speed of circuit transmission mode.
Page 369: Command Reference
In addition, it can be used to carry limited flow control, congestion control, and error control information. Command reference See HPE FlexNetwork MSR Command References(V7). New feature: DHCP MIB DHCP MIB The MIB supports HH3C-DHCP4-MIB and HH3C-DHCP-SNOOP2-MIB.
Page 370 hex hex-string: Matches the specified string in the option, which must be a hex string of even numbers in the range of 2 to 256. If you do not specify the hex-string argument, the DHCP server only checks whether the specified option exists in the received packets. mask mask: Specifies the mask used to match the option content.
Page 371: Ess 0006P02
# Configure match rule 3 to match DHCP requests that contain Option 82 whose highest bit of the fourth byte is 1 for DHCP user class exam. <Sysname> system-view [Sysname] dhcp class exam [Sysname-dhcp-class-exam] if-match rule 3 option 82 hex 00000080 mask 00000080 Related commands dhcp class ESS 0006P02...

This manual is also suitable for:

Msr2000 Msr3000 Msr4000-cmw710-r0306p30-us